Networking

11:49 AM
Connect Directly
RSS
E-Mail
50%
50%

Hacker Cracks Secure Hashing Algorithm Using Amazon Cloud

Using EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

German security researcher Thomas Roth may have discovered the ultimate in DIY dictionary attacks: using on-demand computing power courtesy of the Amazon Elastic Compute Cloud (EC2) to crack the SHA1 secure hashing algorithm for just $2.10.

On Monday, Roth detailed his experiment in a blog post, spurred by Amazon's introduction of cluster GPU instances. "GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?" he said.

His answer, using a list of 14 hashes: "I was able to crack all hashes from this file with a password length from 1-6 in only 49 minutes." According to Roth, "this just shows one more time that SHA1 for password hashing is deprecated -- you really don't want to use it anymore."

SHA1, developed by the National Security Agency, is today's most widely used hashing algorithm. Is it now at risk of attack via Amazon EC2-renting hackers?

Thankfully, no. Paul Ducklin, the head of technology for Sophos in the Asia-Pacific region, said that real-world password schemes hash hashes of hashes, adding layers of complexity to make recovering the password as "computationally infeasible" as possible. The older Linux password system, for example, hashes the hashes of passwords 1,000 times, while the newer one uses 5,000 iterations, he said.

Accordingly, to attack a Linux password -- based on the old Linux password system -- "Ross would need 1,000 times longer -- and $2,000 to blow on Amazon -- because each password would require 1,000 times as many calculations to hash," he said.

Furthermore, Ross' experiment wasn't very computationally intensive by today's standards. Ducklin said that in the time it took Ross to recover 10 passwords from 14 hashes, he used his MacBook Pro to recover eight of them. "Big deal," he said.

In other words, SHA1 seems relatively safe for now. That said, it's slated for replacement due to concerns that it has an inherent cryptographic weakness. Accordingly, the National Institute of Standards and Technology (NIST) is currently holding a competition to design the more secure SHA3. NIST hopes to release the new standard by 2012.

Comment  | 
Print  | 
More Insights
Hot Topics
13
Understanding IPv6: The Journey Begins
Denise Fishburne, Cisco Champion,  7/7/2014
7
12 Hot Programming Languages To Learn
Ericka Chickowski, Contributing Writer, Dark Reading,  7/8/2014
1
Randy Bias Helps You Harness The Cloud
Susan Fogarty, Editor in Chief,  7/8/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed