bitcracker
play

BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: - PowerPoint PPT Presentation

Feb 16, 2023 •585 likes •904 views

BITLOCKER MEETS GPUS BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER Windows Vista, 7, 8.1 and 10 encryption feature (Ultimate, Pro, Enterprise, etc..) It encrypts several types of memory units

  1. BITLOCKER MEETS GPUS BITCRACKER Elena Agostini, Massimo Bernaschi

  2. 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER ‣ Windows Vista, 7, 8.1 and 10 encryption feature (Ultimate, Pro, Enterprise, etc..) ‣ It encrypts several types of memory units like internal HD (native BitLocker) or removable devices (BitLocker To Go) like USB, SD cards, etc.. ‣ Several authentication methods to encrypt (decrypt) memory devices: • TPM (Trusted Platform Module), TPM + PIN, etc.. • Smart Card • Recovery Key • User Password

  3. 3 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER PASSWORD METHOD: ENCRYPTION, STEP 1

  4. 4 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER PASSWORD METHOD: ENCRYPTION, STEP 2

  5. 5 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER PASSWORD METHOD: ENCRYPTION, STEP 3

  6. 6 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER PASSWORD METHOD: DECRYPTION

  7. 7 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER ‣ First open source password cracking tool for memory devices encrypted with BitLocker ‣ User password authentication method • Find the right password to decrypt an encrypted memory unit ‣ Dictionary attack by means of GPUs • Every thread decrypts the device testing a different password Input GPU code Output VALID Decryption with “goofy_123” THREAD 0 PASSWORD? ENCRYPTED MEMORY DEVICE GOOFY_123 VALID Decryption with “deepsec17” Yes PASSWORD1 “deepsec17” THREAD 2 PASSWORD? DEEPSEC17 ….

  8. 8 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER FORMAT ▸ Decryption algorithm ▸ Headers and metadata inside BitLocker encrypted devices ▸ Sources: ▸ Microsoft ( https://technet.microsoft.com ) ▸ libbde : Library and tools useful to access the BitLocker encrypted volumes ( https://github.com/libyal/libbde ) ▸ dislocker : FUSE driver to read/write Windows' BitLocker- ed volumes under Linux/Mac OSX ( https://github.com/ Aorimn/dislocker )

  9. 9 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER KEYS ▸ Complex architecture of keys to encrypt devices ▸ Encryption: • Sectors are encrypted by using a key called FVEK (Full-Volume Encryption Key) • The FVEK is, in turn, encrypted with a key called VMK (Volume Master Key) • The VMK is also encrypted with an authentication method ( e.g., user provided password ) DECRYPTION TPM RSA Attack! TPM + PIN Volume Master Key Full Volume Encryption Key AES 256 bit 256 bit User SHA-256 Password Smart AES AES Key Recovery Decrypted Memory Key Unit

  10. 10 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER VMK DECRYPTION ALGORITHM User Password Compare Compute MAC MAC values Update Decrypted Decrypted Hash Loop 1.048.576 MAC VMK iterations Encrypted Encrypted XOR XOR SHA256(Hash) Salt MAC VMK IV Encrypt IV Intermediate Encrypted IV with AES Key ?

  11. 11 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER METADATA ▸ 3 FVE ( Full Volume Encryption ) metadata blocks ▸ Initial signature “-FVE-FS-” ▸ Windows 8.1, FVE block: salt (5), VMK encrypted with AES- CCM (6), encrypted MAC (8), encrypted VMK (9), etc…

  12. 12 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER VMK DECRYPTION ALGORITHM, INITIAL VERSION User Password Compare Compute MAC MAC values Bottleneck! Update Decrypted Decrypted Hash Loop 1.048.576 MAC VMK iterations Encrypted Encrypted XOR XOR SHA256(Hash) Salt MAC VMK IV Encrypt IV Intermediate Encrypted IV with AES Key ‣ Poor performance: 100 password/sec, NVIDIA GPU Tesla K80 ‣ Limited by instructions number!

  13. 13 BITCRACKER: BITLOCKER MEETS GPUS IMPROVEMENT - W BLOCKS Each iteration: SHA-256 to a 128 bytes structure Block1: 64 byte Block2: 64 byte 64 byte 16 byte 8 byte 32 byte 8 byte Results previous iteration Salt Counter Padding Size Variable Fixed Variable Fixed Fixed Not predictable Memory unit 0 – 1048575 10 … 0 88 salt Precomputation is possible! 1.048.576 iterations x 64 W blocks = 67.108.800 blocks (256 Mb) SHA-256 to 128 byte: ‣ 128 byte split into two 64 byte blocks ‣ PreviousHash = SHA-256 (Constants [32 byte], Message1 [Block1: 64 byte]) ‣ FinalHash = SHA-256 (PreviousHash [32 byte], Message2 [Block2: 64 byte]) 64 byte Message —> 64 W blocks

  14. 14 BITCRACKER: BITLOCKER MEETS GPUS IMPROVEMENT - CUDA ‣ No W blocks computation —> less instructions! ‣ Less registers usage, no local memory, occupancy 100%, etc… ‣ Instructions like IADD3 and LOP3.LUT (logical operation on 3 inputs with lookup table) —> d = (a XOR b XOR c))) • CC 3.x (Kepler arch) : 1. lop.xor a, b, tmp; 2. lop.xor tmp, c, d; • CC 5.x (Maxwell arch) : 1. lop3.lut (d, a, b, c, 0x96)

  15. 15 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER VMK DECRYPTION ALGORITHM User Password Compare Compute MAC MAC values Update Decrypted Decrypted Hash Loop 1.048.576 MAC VMK iterations Encrypted Encrypted XOR XOR SHA256(Hash) Salt MAC VMK IV Encrypt IV Intermediate Encrypted IV W BLOCKS with AES Key READ FROM MEMORY Speed up x3: from 100 password/sec to 340 password/sec, NVIDIA GPU Tesla K80

  16. 16 BITCRACKER: BITLOCKER MEETS GPUS IMPROVEMENT - MAC COMPARISON ▸ Decrypt VMK: 3 AES, 44 XOR ▸ Decrypt MAC: 1 AES, 16 XOR ▸ Compute MAC: 4 AES, 44 XOR Compare Compute MAC MAC values Decrypted Decrypted MAC VMK Encrypted Encrypted XOR XOR MAC VMK Encrypted IV

  17. 17 BITCRACKER: BITLOCKER MEETS GPUS IMPROVEMENT - MAC COMPARISON ▸ According to Microsoft standard, decrypted VMK structure: • First 12 bytes hold info about the key: 1. Bytes 0 and 1: VMK length, always 44 2. Bytes 4 and 5: version number, always 1 3. Bytes 8 and 9: type of VMK encryption. In case of user password, the value is between 0x2000 and 0x2005 • Last 32 bytes are the real VMK ▸ Improvement: avoid MAC comparison and check the decrypted VMK values

  18. 18 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER FINAL ALGORITHM FALSE POSITIVES? User Password Check VMK format Update Decrypted Hash Loop 1.048.576 VMK iterations SHA256(Hash) XOR Salt IV W BLOCKS Encrypt IV Intermediate READ FROM Encrypted VMK Encrypted IV with AES Key MEMORY Speed up 11%: from 340 password/sec to 385 password/sec, NVIDIA GPU Tesla K80

  19. 19 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER & WINDOWS VERSIONS ▸ Tested with BitLocker on Windows Vista, 7 , 8.1 and 10 ▸ Windows 10 has 2 different modes: • Compatible : nothing different from previous Windows • Not Compatible : XTS-AES instead of AES-CCM, only for FVEK and device sectors

  20. 20 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER PERFORMANCE: PASSWORDS/SECOND 1600 1418 1200 Passwords x Second 933 884 800 385 400 314 241 8 0 Intel Core i7 2.9GHz AMD Raden GeForce Titan X GeForce Titan Tesla K80 GeForce Titan X Tesla P100 OpenCL OpenCL OpenCL CUDA CUDA CUDA CUDA OpenCL - CPU OpenCL - GPU CUDA

  21. 21 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER PERFORMANCE: HASH/SECOND ▸ Each password requires 1.048.576 x 2 = 2.097.152 SHA-256 ▸ 1418 psw/sec —> 2.973.761.536 SHA-256/sec ▸ Compared with Hashcat v 3.5.0 … Not fair! Hashcat BitCracker Implementation OpenCL CUDA 2.097.152 SHA-256 + Format Raw SHA-256 AES + XOR Improvements None W blocks Hash/sec 3070 MH/sec 2973 MH/sec NVIDIA GPU Tesla P100 (Pascal architecture)

  22. 22 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER IS AVAILABLE ONLINE! ▸ GitHub repository: https://github.com/e-ago/bitcracker ๏ Standalone implementation, both CUDA-C and OpenCL ๏ Most updated version with several command line options ๏ No dictionary manipulation, mask attacks, etc.. ▸ John the Ripper - OpenCL BitLocker format: ๏ Bleeding jumbo: https://github.com/magnumripper/JohnTheRipper ๏ Wiki page: http://openwall.info/wiki/john/OpenCL-BitLocker ๏ Slightly slower due to JtR internal engine ‣ GPLv2.0 but we are open to collaborations!

  23. 23 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER: HOW TO ▸ Step 1: get the image of your encrypted memory unit ▸ Example 1: dd command is a Linux command-line utility to create bit-by-bit images of entire drives sudo dd if=/dev/disk2 of=/somepath/imageEncrypted conv=noerror,sync 4030464+0 records in 4030464+0 records out 2063597568 bytes transferred in 292.749849 secs (7049013 bytes/sec)

  24. 24 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER: HOW TO ▸ Step 1: get the image of your encrypted memory unit ▸ Example 2: test with an encrypted VHD

  25. 25 BITCRACKER: BITLOCKER MEETS GPUS BITCRACKER: HOW TO ▸ Step 2: bitcracker_hash to extract the hash and check the format ./build/bitcracker_hash -o hashFile.txt -i /somepath/imageEncrypted Opening file /somepath/imageEncrypted Signature found at 0x00010003 Version: 8 Invalid version, looking for a signature with valid version... Signature found at 0x02110000 Version: 2 (Windows 7 or later) VMK entry found at 0x021100c2 VMK encrypted with user password found! Final hash: $bitlocker$0$16$0457cb4e3c27f5172b4d2192b6fb3e5e$1048576$12$60bb9871d20fd3010 3000000$60$b860aa11fe0b1eb3e2c75c3de07c4c8b933e9e9d5fba5bfb7bf7cdbbc3d0fd05ce 95ea725bc064d7f58058b72eb5b954131ec22152cce546ae2d0902

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will

690 views • 41 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key, given the user's public key. Unfortunately, there is a gap between ECDLP difficulty and ECC security.There are many attacks that break

527 views • 18 slides
Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views • 18 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Free-Net Ian Clarke, Oskar Sandberg, Brandon Wiley, Theodore Hong, 2000 Goal - peer-to-peer network -

746 views • 36 slides
S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

Introduction Symbolic analysis Constraint solving Computational justification Conclusion S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu Baudet Laboratoire Sp ecification et V erification

963 views • 58 slides
machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster

machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster

Tricking binary trees: The (in)security of machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster University President Lancaster University Ethical Hacking Group (LUHack) Joining University of

1.41k views • 65 slides
Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords Xavier Boyen 1 Cline Chevalier 2 Georg Fuchsbauer 3

680 views • 36 slides
hashing Nov. 10, 2017 1 RECALL: Map keys (type K) values (type V) Each (key, value) pairs is

hashing Nov. 10, 2017 1 RECALL: Map keys (type K) values (type V) Each (key, value) pairs is

COMP 250 Lecture 27 hashing Nov. 10, 2017 1 RECALL: Map keys (type K) values (type V) Each (key, value) pairs is an entry. For each key, there is at most one value. 2 RECALL Special Case: keys are unique positive integers in

783 views • 36 slides
Proposal for Translating Cryptology Terms to Hebrew Yossi Markovitz initiated this list. Ron

Proposal for Translating Cryptology Terms to Hebrew Yossi Markovitz initiated this list. Ron

Proposal for Translating Cryptology Terms to Hebrew Yossi Markovitz initiated this list. Ron Irmai, Shraga Irmai, Adi Shamir, Moti Yung, Orr Dunkelman and Roni Roth contributed various terms and had var- ious suggestions that improved this list.

542 views • 10 slides
Empirical Comparison of PETRARCH-1 and 2 Verb Dictionaries Philip A. Schrodt Parus Analytics

Empirical Comparison of PETRARCH-1 and 2 Verb Dictionaries Philip A. Schrodt Parus Analytics

Empirical Comparison of PETRARCH-1 and 2 Verb Dictionaries Philip A. Schrodt Parus Analytics Charlottesville, Virginia, USA schrodt735@gmail.com Presented at the RIDIR Event Data Project Annual Meeting University of Texas at Dallas, 11

505 views • 27 slides
Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic,

Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic,

Tableaux for Propositional Logic ILCS 2007 Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Tableaux for Propositional Logic ILCS 2007

587 views • 34 slides
English Monday - Conjunctions What is a conjunction? What is their purpose? What conjunctions do

English Monday - Conjunctions What is a conjunction? What is their purpose? What conjunctions do

English Monday - Conjunctions What is a conjunction? What is their purpose? What conjunctions do you know? There are two types o conjunctions: Coordinating conjunctions (and, but, or) Subordinating conjunctions (when, if, that, because)

368 views • 14 slides
Introduction Lecturer: Prof. Aude Billard (aude.billard@epfl.ch) Assistants: Dr. Basilio Noris,

Introduction Lecturer: Prof. Aude Billard (aude.billard@epfl.ch) Assistants: Dr. Basilio Noris,

MACHINE LEARNING 2013 MACHINE LEARNING Introduction Lecturer: Prof. Aude Billard (aude.billard@epfl.ch) Assistants: Dr. Basilio Noris, Nicolas Sommer (basilio.noris@epfl.ch; n.sommer@epfl.ch) 1 1 MACHINE LEARNING 2013 Practicalities

866 views • 68 slides
Lecture 1: Course outline and logistics What is Machine Learning Aykut Erdem October 2016

Lecture 1: Course outline and logistics What is Machine Learning Aykut Erdem October 2016

Lecture 1: Course outline and logistics What is Machine Learning Aykut Erdem October 2016 Hacettepe University Todays Schedule Course outline and logistics An overview of Machine Learning 2 Course outline and logistics

1.7k views • 118 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
Work Equipment Inspections An integral part of equipment maintenance Graham Higginson Business

Work Equipment Inspections An integral part of equipment maintenance Graham Higginson Business

Work Equipment Inspections An integral part of equipment maintenance Graham Higginson Business Development Manager Industrial Safety Inspections Ltd 1 Introduction Equipment Maintenance A Quick Overview Inspections A General Guide

789 views • 35 slides
Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Concept of Differentials Propagation Ratio The

471 views • 15 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

University of Milano-Bicocca Department of Informatics, Systems and Communications Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November 14, 2017 Context (1/2): Cellular Automata One-dimensional

847 views • 47 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides

More recommend