Advances in graphics processing for both video games and crypto-currency mining have given us exceptional computing power to attack hashing algorithms, an underpinning foundational element of many of the security protections we use today. In this talk we'll explore how GPUs can be used in a security context, mostly by the bad guys.
What Video Games and BotCoin Did To The World Of Security... On Accident
1. How Video Games and BitCoin
Changed the World of
Security… On Accident
Ben Finke and Oleg Laskin
@benfinke and @dagger3d
2. Standard Disclaimer
During this talk we will discuss techniques for obtaining passwords and
methods for weakening cryptographic controls. You shouldn’t do this
unless you have permission from the owner of the system to test. Laws
vary from state to state and country to country, so you should consult
your attorney before conducting any of these activities.
Encryption could very well be illegal by the time we give this talk.
Onward!
3. A bit about me…
Oleg Laskin
▪ Computer Geek over 20 years
▪ Security Evangelist
▪ Hacker / tinkerer
Twitter - @dagger3d
4. A bit about me…
Ben Finke
@benfinke (if you’re in to that sort of thing)
InfoSec nerd for at least 12 years
Blog occasionally at blog.benfinke.com
Big fan of learning, sharing, and creating – especially in security
5. So… BitCoin and Video Games?
What could those things possibly have to do with passwords and crypto?
Graphics Processing Units (GPUs)
This little card has 8 GB of RAM (!) on its own.
Has the ability to combine processing power
using a technology called “Crossfire”.
It’s really good at doing the math needed to
make polygons for stunningly realistic video
game graphics.This one can do it in 4K too!
6. Polygons?
▪ Usually (but not always) triangle shapes
▪ The more you have, the smoother the object looks
▪ Expressed as math functions – the video card renders on the fly
7. GPU Processing Power
Our video card friend from a few slides ago is capable of pushing
incredibly complex graphics, which of course simply means it is highly
adept at doing lots of math, really quickly.
Better than a general purpose CPU even.
I wonder what other kind of things out there require lots of math
horsepower?
8. BitCoin
▪ A digital currency developed to work without a central bank
▪ Uses blockchains to keep track of transactions
▪ The bitcoins in the system are created by mining – donating
computer processing power to record transactions into the
blockchain
▪ The mining process requires lots and lots of hashing, which is, well,
math.
9. Switching Gears – Password Storage 101
Let’s say we run a website that helps people keep track of something
important, like how many food trucks they’ve eaten at.
10. Storing Passwords (cont.)
We plan on spending virtually no time making the site secure. Our
customers might be mad when their accounts are breached though.
Ah ha, hashes to the rescue!
11. A hash is a hash is a hash is a hash…
If the hash function is known, and the same starting password turns
into the same hash function every time….
12. A little on hash algorithms
▪ How it all began - History of hashes
– Password lists
▪ 1960’s MITTime Sharing Computer Systems
▪ First network accessible password lists
– PL/I scramble_ on Multics and UNIX
▪ Came up with idea to scramble passwords
– square the PIN then discard some bits
▪ Later replaced by PL/I scramble_
– Crypt with DES
13. A little on hash algorithms - difference
▪ MD5
– 7c6a180b36896a0a8c02787eeafb0e4c
▪ Sha1
– e38ad214943daad1d64c102faec29de4afe9da3d
▪ SHA256
– 0b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e
▪ BCRYPT with random salt
– $2y$10$8cgvAygXKNrmPUtnQTOS3.mlsAqnilFwdvDdwtyxZAHJnAzsfsJWq
▪ BCRYPT with salt 1A2B3C4D5E6F1A2B3C4D5
– $2y$10$1A2B3C4D5E6F1A2B3C4D5.b0S2ceDbPrbtqq4QFeDXOfsEucIY9Fq
14. A little on hash algorithms
▪ Hash criteria
– One-way function
▪ It should be hard to find plaintext
– Collision resistance
▪ Should be hard to find two strings that will result in the same hash
▪ Birthday attack
– Hard to find a specific birthday in a group of 23
– Easy to find two people with same birthday in same group
15. How well are those sites protecting your
passwords
pastebin and others hash dumps
16. How password hashes are cracked
▪ password list
– Large list of commonly used passwords
– Very fast, somewhat effective
▪ rules-based
– often combined with password list
– generates hashes based on commonly used password sequences
▪ Word123!
▪ w0rdw0rd
– Somewhat fast and very effective
▪ bruteforce
– generate random passwords
– can be based on rules
– very slow and almost 100% effective
▪ rainbow tables
– large list or precomputed hashes
– relatively fast
– can be very effective for simpler passwords of pretty good length
17. Storing Passwords – Pass the Salt
▪ Actually, using a salted hash is a very secure way to store passwords
▪ Unique salt for each password stored
▪ Oh yeah, and the salt needs to be protected too!
21. Build your own rig
Software
▪ Hydra
– online password brute-force
– NOT utilize video processor
– slow brute-force and easily detectable
▪ John the ripper
– Offline password brute-force
– NOT utilizing video processor
– fast with password list
– slow brute-force
22. Build your own rig
Software
▪ OCLHashCat
– Definitely utilizing the power of video processor
▪ Although can be used without for much slower performance
– Methods of password cracking
▪ password list
▪ rules-based
▪ brute-force
25. So, how secure is your encryption?
Places you find encryption everyday:
▪ Websites (HTTPS)
▪ Full Disk Encryption on your phone or laptop
▪ Messaging (Whats App)
28. What’s the Problem With Hash Collisions?
▪ Create a fake certificate for an HTTPS website
▪ Modify a legal document without parties realizing
▪ Create a malicious piece of software that shows valid to AV systems
▪ And lots, lots more!
29. How to make a Hash Collision
Let’s take the certificate attack as an example.
Take an existing certificate, find the current valid signature, a SHA256
hash of the whole certificate.
30. How to make a Hash Collision
Whatever public/private key pair we make, the signature is going to
have to match this signature.
So we start trying changing other aspects of the file, testing to see if
the hash matches, repeating until the match is found.