High-Speed Implementation of bcrypt Password Search using - - PowerPoint PPT Presentation

▶

Mar 06, 2023 193 likes •491 views

RUHR-UNIVERSITT BOCHUM High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December 2014 Horst Grtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann Friedrich Wiemer

SLIDE 1

RUHR-UNIVERSITÄT BOCHUM

High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware

10. December 2014

Horst Görtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 1

SLIDE 2

RUHR-UNIVERSITÄT BOCHUM

Outline

Motivation

bcrypt

Design of Implementation

Results

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 2

SLIDE 3

RUHR-UNIVERSITÄT BOCHUM

Motivation

Password Hashing Function?

Can’t we just store passwords in plain?

1blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords 2blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 3

SLIDE 4

RUHR-UNIVERSITÄT BOCHUM

Motivation

Password Hashing Function?

Can’t we just store passwords in plain?12

1blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords 2blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 3

SLIDE 5

RUHR-UNIVERSITÄT BOCHUM

Motivation

Secure Storage?

Password Salt Hash MD5 SHA{1, 2, 3} . . . MD5 SHA{1, 2, 3} . . .

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 4

SLIDE 6

RUHR-UNIVERSITÄT BOCHUM

Motivation

Secure Storage?

Password Salt Hash MD5 SHA{1, 2, 3} . . . MD5 SHA{1, 2, 3} . . . don’t use standard hash functions

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 4

SLIDE 7

RUHR-UNIVERSITÄT BOCHUM

Motivation

Secure Storage!

Password Cost Salt Hash PBKDF2 bcrypt scrypt

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 5

SLIDE 8

RUHR-UNIVERSITÄT BOCHUM

Motivation

Why do we care? password cracking has an inherent parallel structure FPGAs enable to exploit this parallelism bcrypt claims to resist hardware optimizations currently available implementations3 suffer from interface bottlenecks and instable operations

3K. Malvoni et al. Are Your Passwords Safe: Energy-Efficient Bcrypt Cracking

with Low-Cost Parallel Hardware 8th USENIX Workshop on Offensive Technologies (WOOT 14), 2014

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 6

SLIDE 9

RUHR-UNIVERSITÄT BOCHUM

What is bcrypt?

Introduced in 1999 by Provos and Mazières.4 Implemented in OpenBSD 2.1, Ruby on Rails, and PHP as standard password hash. bcrypt cost-parameterized based on modified Blowfish

4www.usenix.org/events/usenix99/full_papers/provos/provos.pdf

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 7

SLIDE 10

RUHR-UNIVERSITÄT BOCHUM

What is bcrypt?

Introduced in 1999 by Provos and Mazières.4 Implemented in OpenBSD 2.1, Ruby on Rails, and PHP as standard password hash. bcrypt cost-parameterized based on modified Blowfish Blowfish symmetric blockcipher Feistel network

4www.usenix.org/events/usenix99/full_papers/provos/provos.pdf

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 7

SLIDE 11

RUHR-UNIVERSITÄT BOCHUM

bcrypt

Structure setup state, using the password and salt as key with modified Blowfish key schedule encrypt magic value

utput ciphertext as hash

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 8

SLIDE 12

RUHR-UNIVERSITÄT BOCHUM

bcrypt

Structure setup state, using the password and salt as key with modified Blowfish key schedule encrypt magic value

utput ciphertext as hash

Work needs (2cost+1 + 1)· 521 Blowfish encryptions (roughly 2cost+10) needs 3· 64 Blowfish encryptions

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 8

SLIDE 13

RUHR-UNIVERSITÄT BOCHUM

Implementation

Cracker

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 9

SLIDE 14

RUHR-UNIVERSITÄT BOCHUM

Target Platforms

Low cost, low power FPGA Zedboard

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 10

SLIDE 15

RUHR-UNIVERSITÄT BOCHUM

Target Platforms

Low cost, low power FPGA Zedboard High Performance FPGA Virtex-7

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 10

SLIDE 16

RUHR-UNIVERSITÄT BOCHUM

Optimization

Optimization Goal?

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 11

SLIDE 17

RUHR-UNIVERSITÄT BOCHUM

Optimization

Low Area Footprint (bcrypt)

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 12

SLIDE 18

RUHR-UNIVERSITÄT BOCHUM

Optimization

Low Area Footprint (bcrypt) High-Speed (Blowfish)

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 12

SLIDE 19

RUHR-UNIVERSITÄT BOCHUM

Design

First Attempt

Salt Register Hash Register bcrypt Core bcrypt Core bcrypt Core bcrypt Core Password Generator

100 MHz (BCRCLK) 100 MHZ (BUSCLK)

bcrypt Internals Password Memory

bcrypt Core

Password Memory Interface

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 13

SLIDE 20

RUHR-UNIVERSITÄT BOCHUM

Design

First Attempt

Salt Register Hash Register bcrypt Core bcrypt Core bcrypt Core bcrypt Core Password Generator

100 MHz (BCRCLK) 100 MHZ (BUSCLK)

bcrypt Internals Password Memory

bcrypt Core

Password Memory Interface

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 13

SLIDE 21

RUHR-UNIVERSITÄT BOCHUM

Design

Quad Core

bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Quad Core bcrypt Core bcrypt Core bcrypt Core bcrypt Core Password Memory Password Generator

Quad Core

100 MHz (BCRCLK) 100 MHZ (BUSCLK)

Hash Register Salt Register Interface

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 14

SLIDE 22

RUHR-UNIVERSITÄT BOCHUM

Design

Blowfish Core

One Round

S0 S1 S2 S3

f Lefti Righti Lefti+1 Righti+1

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 15

SLIDE 23

RUHR-UNIVERSITÄT BOCHUM

Design

Blowfish Core

One Round

S0 S1 S2 S3

f Lefti Righti Lefti+1 Righti+1

Problematic SBox addresses can not be computed in the same clock as the look up is used needs 2 clock cycles per round

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 15

SLIDE 24

RUHR-UNIVERSITÄT BOCHUM

Design

Blowfish Core Retimed

Prefetch

P1 Input Left Input Right Left1 Right1

Retimed Round

Pi+1

S0 S1 S2 S3

f Lefti Righti Lefti+1 Righti+1

Advantages needs only 1 clock per round

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 16

SLIDE 25

RUHR-UNIVERSITÄT BOCHUM

Resulting Resources

Zedboard estimations for one zedboard: 40 cores as upper bound, BRAMs as limiting resource first design attempt (password in registers): 12 cores fit, LUT utilization way to high Quad Core Design: 40 cores fit, while using “big” interface Virtex-7 Quad Core Design: 316 cores per FPGA

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 17

SLIDE 26

RUHR-UNIVERSITÄT BOCHUM

Resulting Resources

Resource utilization of design and submodules LUT FF Slice BRAM Overall 64.8% 13.06% 93.29% 95.71% Quad Core 2,777 720 801 13 Single Core 617 132 197 3 Blowfish Core 354 64 71 Password Generator 216 205 81

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 18

SLIDE 27

RUHR-UNIVERSITÄT BOCHUM

Resulting Hashrates

Compared to cost factor 5 cost factor 12

Hashes Second Hashes Watt Second Hashes Second Hashes Watt Second

Zedboard 6,511 1,550 51.95 12.37 Malvoni (GSoC) 780 Malvoni et al. 4,571 682.24 64.83 9.68 Virtex-7 51,437 2,572 410.4 20.52 Xeon E3-1240 6,210 20.7 50 0.17 GTX 750 Ti 1,920 6.4 15 0.05

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 19

SLIDE 28

RUHR-UNIVERSITÄT BOCHUM

Brute Force Attack

Cost 5

5 10 15 20 25 30 35 40 45 50 5 7 10 15 20

Number of attacked passwords Total costs in $1 000 000

break-even CPU∗ GPU∗ CPU+GPU∗ Virtex-7 zedboard Malvoni et al.

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 20

SLIDE 29

RUHR-UNIVERSITÄT BOCHUM

Questions?

Thank you for your attention!

Images: Wikimedia Commons, flickr

Friedrich Wiemer and Ralf Zimmermann | High-Speed Implementation of bcrypt Password Search | 10. December 2014 21