Networking

11:49 AM
Connect Directly
RSS
E-Mail
50%
50%

Hacker Cracks Secure Hashing Algorithm Using Amazon Cloud

Using EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

German security researcher Thomas Roth may have discovered the ultimate in DIY dictionary attacks: using on-demand computing power courtesy of the Amazon Elastic Compute Cloud (EC2) to crack the SHA1 secure hashing algorithm for just $2.10.

On Monday, Roth detailed his experiment in a blog post, spurred by Amazon's introduction of cluster GPU instances. "GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?" he said.

His answer, using a list of 14 hashes: "I was able to crack all hashes from this file with a password length from 1-6 in only 49 minutes." According to Roth, "this just shows one more time that SHA1 for password hashing is deprecated -- you really don't want to use it anymore."

SHA1, developed by the National Security Agency, is today's most widely used hashing algorithm. Is it now at risk of attack via Amazon EC2-renting hackers?

Thankfully, no. Paul Ducklin, the head of technology for Sophos in the Asia-Pacific region, said that real-world password schemes hash hashes of hashes, adding layers of complexity to make recovering the password as "computationally infeasible" as possible. The older Linux password system, for example, hashes the hashes of passwords 1,000 times, while the newer one uses 5,000 iterations, he said.

Accordingly, to attack a Linux password -- based on the old Linux password system -- "Ross would need 1,000 times longer -- and $2,000 to blow on Amazon -- because each password would require 1,000 times as many calculations to hash," he said.

Furthermore, Ross' experiment wasn't very computationally intensive by today's standards. Ducklin said that in the time it took Ross to recover 10 passwords from 14 hashes, he used his MacBook Pro to recover eight of them. "Big deal," he said.

In other words, SHA1 seems relatively safe for now. That said, it's slated for replacement due to concerns that it has an inherent cryptographic weakness. Accordingly, the National Institute of Standards and Technology (NIST) is currently holding a competition to design the more secure SHA3. NIST hopes to release the new standard by 2012.

Comment  | 
Print  | 
More Insights
Cartoon
Hot Topics
6
IT Certification's Top 10 Benefits
Global Knowledge, Global Knowledge,  8/20/2014
1
Why Large Data Centers Need Overlay Networks
Cisco Press, Publishing Alliance,  8/21/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed