SlideShare una empresa de Scribd logo
1 de 95
Descargar para leer sin conexión
Faster P wninG A ssured: New
Adventures with FPGAs


ClubHACK 2007
David Hulton <david@ toorcon.org>

Chairman, ToorCon
Director Security Applications, Pico Computing, Inc.
Researcher, The OpenCiphers Project



Midnight Research Labs
The Church of W iFi
The Hacker's Choice
Overview

    FPGAs – Quick Intro



    New to 2007! (Since Last Defcon)


         CoWPAtty – WPA Cracking
     


         VileFault – Mac OS-X FileVault
     


    New Cracking Tools! (Since ShmooCon)


         BTCrack – Bluetooth Authentication
     


         WinZipCrack – WinZip AES Encryption
     


         The A5 Cracking Project – GSM Encryption
     


    Conclusions





ClubHACK 2007                              2007 © The OpenCiphers Project
FPGAs




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs

      Quick Intro
  


          Chip with a ton of general purpose logic
      


              ANDs, ORs, XORs
          


              FlipFlops (Registers)
          


              BlockRAM (Cache)
          


              DSP48’s (ALUs)
          


              DCMs (Clock Multipliers)
          




ClubHACK 2007                                   2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs (448)
      




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs
      


          Slices (10,752)
      




ClubHACK 2007               2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs
      


          Slices
      


          DCMs (8)
      




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs
      


          Slices
      


          DCMs
      


          BlockRAMs (72)
      




ClubHACK 2007              2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs
      


          Slices
      


          DCMs
      


          BlockRAMs
      


          DSP48s (48)
      




ClubHACK 2007           2007 © The OpenCiphers Project
FPGAs

      Virtex-4 LX25
  


          IOBs
      


          Slices
      


          DCMs
      


          BlockRAMs
      


          DSP48s
      


          Programmable Routing Matrix
      


          (~18 layers)




ClubHACK 2007                           2007 © The OpenCiphers Project
Introduction to WPA

      WiFi Protected Access
  




ClubHACK 2007                         2007 © The OpenCiphers Project
Introduction to WPA

      PSK
  


          MK is your passphrase
      


          It’s run through PBKDF2
      


          to generate the PMK




ClubHACK 2007                         2007 © The OpenCiphers Project
Introduction to WPA

      PSK
  


          MK is your passphrase
      


          It’s run through PBKDF2
      


          to generate the PMK




ClubHACK 2007                         2007 © The OpenCiphers Project
Introduction to WPA

      PSK
  


          MK is your passphrase
      


          It’s run through PBKDF2
      


          to generate the PMK




ClubHACK 2007                         2007 © The OpenCiphers Project
Introduction to WPA

         For every possible PMK compute PTK and see if it
     

         matches the handshake captured on the network




ClubHACK 2007                                2007 © The OpenCiphers Project
FPGA coWPAtty

    Uses 8 SHA-1 Cores
  


   Uses BlockRAM to buffer the words fed to the

    cores
   As long as the machine is able to supply words

    fast enough, the SHA-1 cores will be utilized
    fully




ClubHACK 2007                        2007 © The OpenCiphers Project
Performance Comparison

                                   FPG A
  PC

                                   Cowpatty
  Cowpatty
                                    LX25                ~430/sec
     800MHz P3          ~25/sec
                                    1 5 Cluster         ~6,500/sec
     3.6GHz P4          ~60/sec
                                    LX50                ~650/sec
     AMD Opteron        ~70/sec
     2.16GHz IntelDuo   ~70/sec


  Aircrack
     3.6GHz P4          ~100/sec




ClubHACK 2007                                 2007 © The OpenCiphers Project
Results

      Decided to compute hash tables for a 1,000,000
  

      passphrase wordlist for the top 1,000 SSIDs

       “That million word list that I fed you incorporated a
       430,000 word list from Mark Burnett and Kevin Mitnick
       (of all people) and was made up of actual harvested
       passwords acquired through some google hacking.
       They are passwords that people have actually used. I
       padded it out to 1 million by adding things like
       websters dictionary, and other such lists, and then
       stripped the short word (<8 chars.) out of it.”


ClubHACK 2007                               2007 © The OpenCiphers Project
Results

    Finally have the 40GB WPA tables on the tubes
  


   Thanks Shmoo! (3ricJ & Holt!)


   Check the Torrent trackers for seeds


   CoWPAtty FPGA support has recently been

    added to wicrawl




ClubHACK 2007                      2007 © The OpenCiphers Project
Demo
Bluetooth PIN Cracking

      Pairing bluetooth devices is similar to wifi
  


      authentication
      Why not crack the bluetooth PIN?
  


      Uses a modified version of SAFER+
  


      SAFER+ inherently runs much faster in
  


      hardware
      Attack originally explained and published by
  


      Yaniv Shaked and Avishai Wool
      Thierry Zoller originally demonstrated his
  


      implementation at hack.lu

ClubHACK 2007                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking

      How it works
  

          Capture a bluetooth authentication
      

          (sorry, requires an expensive protocol analyzer)
          This is what you'll see
      




  Master                      Slave
  in_rand                                      master sends a random nonce
  m_comb_key
                              s_comb_key       sides create key based on the pin
  m_au_rand                                    master sends random number
                              s_res            slave hashes with E1 and replies
                              s_au_rand        slave sends random number
  m_sres                                       master hashes with E1 and replies


ClubHACK 2007                                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking

      Just try a PIN and if the hashes match the


      capture, it is correct
      Extremely small keyspace since most devices just


      use numeric PINs (1016)
      My implementation is command line and should


      work on all systems with or without FPGA(s)




    ClubHACK 2007                        2007 © The OpenCiphers Project
Bluetooth PIN Cracking

      FPGA Implementation


            Requires implementations of E21, E22, and E1 which
        

            all rely on SAFER+
            Uses 16-stage pipeline version of SAFER+ which feeds
        

            back into itsself after each stage
            To explain, here's some psuedocode
        




    ClubHACK 2007                              2007 © The OpenCiphers Project
Bluetooth PIN Cracking
for(pin = 0; ; pin++) {
     Kinit = E22(pin, s_bd_addr, in_rand);         // determine initialization key

        m_comb_key ^= Kinit;                       // decrypt comb_keys
        s_comb_key ^= Kinit;

        m_lk = E21(m_comb_key, m_bd_addr);         // determine link key
        s_lk = E21(s_comb_key, s_bd_addr);
        lk = m_lk ^ s_lk;

        m_sres_t = E1(lk, s_au_rand, m_bd_addr); // verify authentication
        s_sres_t = E1(lk, m_au_rand, s_bd_addr);

        if(m_sres_t == m_sres && s_sres_t == s_sres)
             found!
}

    ClubHACK 2007                                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking
for(pin = 0; ; pin++) {
     Kinit = E22(pin, s_bd_addr, in_rand);         // determine initialization key

        m_comb_key ^= Kinit;                       // decrypt comb_keys
        s_comb_key ^= Kinit;

        m_lk = E21(m_comb_key, m_bd_addr);         // determine link key
        s_lk = E21(s_comb_key, s_bd_addr);
        lk = m_lk ^ s_lk;

        m_sres_t = E1(lk, s_au_rand, m_bd_addr); // verify authentication
        s_sres_t = E1(lk, m_au_rand, s_bd_addr);

        if(m_sres_t == m_sres && s_sres_t == s_sres)
             found!
}

    ClubHACK 2007                                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                              E22
                  16 PINs
   PIN Gen                  SAFER+




ClubHACK 2007                        2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                    E21           16 clock cycles later

   PIN Gen                       SAFER+




                 Output loops back and SAFER+ now does
                            E21 for the Master




ClubHACK 2007                                     2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                      E21            16 clock cycles later

   PIN Gen                         SAFER+




                    Then does the second E21 for the Slave
                  and combines the keys to create the link key




ClubHACK 2007                                         2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                       E1               16 clock cycles later

   PIN Gen                          SAFER+




                  Then the first part of E1 for the Slave




ClubHACK 2007                                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                       E1             16 clock cycles later

   PIN Gen                          SAFER+




                 Then the second part of E1 for the Slave




ClubHACK 2007                                          2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                       E1              16 clock cycles later

   PIN Gen                          SAFER+




                  Then the first part of E1 for the Master




ClubHACK 2007                                           2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                      E1              16 clock cycles later

   PIN Gen                         SAFER+




                 Then the second part of E1 for the Master




ClubHACK 2007                                         2007 © The OpenCiphers Project
Bluetooth PIN Cracking

                                             E22            16 clock cycles later

   PIN Gen                               SAFER+



                     SRES                Compare

                                         N      Y
                                                               Stop


                Then checks all of the sres values to see if any match
                           while the process starts over




ClubHACK 2007                                                2007 © The OpenCiphers Project
Bluetooth PIN Cracking

      If the cracker stops the computer reads back
  


      the last generated PIN from the pin generator to
      determine what the valid PIN was
      The last generated PIN – 16 should be the
  


      cracked PIN
      I built a commandline version
  


      Thierry Zoller integrated support into BTCrack
  


      I added some hollywood FX !
  




ClubHACK 2007                           2007 © The OpenCiphers Project
Performance Comparison

  PC                               FPGA

  btpincrack                       btpincrack
     3.6GHz P4      ~40,000/sec     LX25       ~7,000,000/sec
                                    15 Cluster ~105,000,000/sec
                                    LX50       ~10,000,000/sec
  BTCrack
     3.6GHz P4      ~100,000/sec




                                    0.001 secs to crack 4 digit
     0.24 secs to crack 4 digit
                                    10 secs to crack 8 digit
     42 min to crack 8 digit

ClubHACK 2007                                   2007 © The OpenCiphers Project
Demo
WinZip AES Encryption

      Somewhat proprietary standard



      No open source code available (until now!)



      Format


            Uses the standard ZIP format
        


            Adds a new compression type (99)
        


            Uses PBKDF2 (1000 iterations) for key derivation
        


            Individual files can be encrypted inside the ZIP file
        


            Supports 128/192/256-bit key lengths
        


            Uses a 16-bit verification value to verify passwords
        


            Otherwise you verify by using the checksum
        


            Uses a salt (sorry, can't do a dictionary attack!)
        




    ClubHACK 2007                                  2007 © The OpenCiphers Project
WinZip AES Encryption

      Cracking algorithm


            Scan through ZIP file until you find the encrypted file
        


            Get the 16-bit password verification value
        


            Hash a password with PBKDF2 and see if the
        

            verification value matches
                 No – Try next password
             


                 Yes – Decrypt file and see if checksum matches
             

                   No – Try next password

                   Yes – Password found!




    ClubHACK 2007                                        2007 © The OpenCiphers Project
WinZip AES Encryption

      Uses the same PBKDF2 core as the WPA and


      FileVault cracking code
      Requires extra iterations for longer key lengths



      Tool takes a ZIP file, encrypted file name, and


      dictionary file as input




    ClubHACK 2007                         2007 © The OpenCiphers Project
Performance Comparison

  PC                               FPGA

  winzipcrack                      winzipcrack
     800MHz P3          ~100/sec    LX25              ~2,000/sec
     3.6GHz P4          ~180/sec    LX50              ~6,000/sec
     AMD Opteron        ~200/sec    15 Cluster        ~30,000/sec
     2.16GHz IntelDuo   ~200/sec




ClubHACK 2007                                2007 © The OpenCiphers Project
Demo
VileFault

    “FileVault secures your home directory by


    encrypting its entire contents using the
    Advanced Encryption Standard with 128-
    bit keys. This high-performance algorithm
    automatically encrypts and decrypts in
    real time, so you don’t even know it’s
    happening.”




ClubHACK 2007                    2007 © The OpenCiphers Project
VileFault

      We wanted to know what was happening





    ClubHACK 2007                   2007 © The OpenCiphers Project
VileFault

    Stores the home directory in a DMG file



    DMG is mounted when you login



    hdi framework handles everything



    Blocks get encrypted in 4kByte “chunks” AES-


    128, CBC mode
    Keys are encrypted (“wrapped”) in header of


    disk image
    Wrapping of keys done using 3DES-EDE



    Two different header formats (v1, v2)



    Version 2 header: support for asymmetrically


    (RSA) encrypted header

ClubHACK 2007                       2007 © The OpenCiphers Project
VileFault

      Apple's FileVault
  


      Uses PBKDF2 for the password hashing
  


      Modified version of the WPA attack can be used
  

      to attack FileVault
      Just modified the WPA core to 1000 iterations
  

      instead of 4096
      Worked with Jacob Appelbaum & Ralf-Philip
  

      Weinmann to reverse engineer the FileVault
      format and encryption




ClubHACK 2007                         2007 © The OpenCiphers Project
VileFault

    Login password used to derive key for


    unwrapping
         PBKDF2 (PKCS#5 v2.0), 1000 iterations
     




    Crypto parts implemented in CDSA/CSSM


         DiskImages has own AES implementation,
     

         pulls in SHA-1 from OpenSSL dylib

    “Apple custom” key wrapping loosely


    according to RFC 2630 in Apple's CDSA
    provider (open source)
ClubHACK 2007                        2007 © The OpenCiphers Project
VileFault

    vfdecrypt (Ralf Philip-Weinmann & Jacob Appelbaum)


         Will use the same method with a correct password to
     

         decrypt the DMG file and output an unencrypted DMG
         file
         Result can be mounted on any system without a
     

         password
    vfcrack (me!)


         Unwrap the header
     


         Use header to run PBKDF2 with possible passphrases
     


         Use PBKDF2 hash to try and decrypt the AES key, if it
     

         doesn't work, try next passphrase
         With the AES key decrypt the beginning of the DMG file
     

         and verify the first sector is correct (only needed with
         v2)
ClubHACK 2007                                    2007 © The OpenCiphers Project
VileFault

    Other attacks


         Swap
     

                The key can get paged to disk (whoops!)
          


                Encrypted swap isn't enabled by default
          


         Hibernation
     

                You can extract the FileVault key from a hibernation file
          


                Ring-0 code can find the key in memory
          


         Weakest Link
     

                The password used for the FileVault image is the same as
          

                your login password
                Salted SHA-1 is much faster to crack than PBKDF2 (1
          

                iteration vs 1000)
                The RSA key is easier to crack than PBKDF2
          




ClubHACK 2007                                             2007 © The OpenCiphers Project
Performance Comparison

  PC                               FPGA

  vfcrack                          vfcrack
     800MHz P3          ~100/sec    LX25              ~2,000/sec
     3.6GHz P4          ~180/sec    LX50              ~6,000/sec
     AMD Opteron        ~200/sec    15 Cluster        ~30,000/sec
     2.16GHz IntelDuo   ~200/sec




ClubHACK 2007                                2007 © The OpenCiphers Project
Demo
The A5 Cracking Project

      Capturing GSM Traffic


            GNU Radio USRP board ($900 USD)
        


            We developed software to decode GSM
        


            Lets you fire up wireshark on a GSM channel
        


            Can sometimes capture SMS messages
        


            Couldn't capture voice calls :-(
        


            We wanted to change that
        




    ClubHACK 2007                               2007 © The OpenCiphers Project
The A5 Cracking Project

      Luckily you don't need to break crypto





      India


            IDEA - A5/0
        


            AirTel - A5/0
        


            Essar - A5/0
        


            Orange - A5/0
        


            Dolphin - A5/0
        




    ClubHACK 2007                        2007 © The OpenCiphers Project
The A5 Cracking Project

      Focusing on A5/1


            Used widely throughout the US, Europe, and some
        

            Asian countries
            The strongest algorithm for GSM (3G is better)
        


            Looking at only practical attacks
        


            Originally looked at ciphertext only attacks
        


            Found out that there is a lot of known-plaintext
        


            Known-plaintext attacks are a lot easier
        


      Researched a few different attacks


            Real-time attack with known-plaintext + FPGAs
        

                 Anderson & Roe / Keller + our mods
             


            Pre-computation + less FPGAs
        

                 Biryukov, Shamir, & Wagner + our mods
             




    ClubHACK 2007                                        2007 © The OpenCiphers Project
Real-time Attack

      A register is clocked if it's clocking bit agrees with


      the majority




    ClubHACK 2007                           2007 © The OpenCiphers Project
Real-time Attack

      First 64 clock cycles key is xor'ed with registers


      here




    ClubHACK 2007                          2007 © The OpenCiphers Project
Real-time Attack

      Second, 22-bit frame number is xored in here





    ClubHACK 2007                       2007 © The OpenCiphers Project
Real-time Attack

      Third, A5/1 is run for 100 clock cycles





    ClubHACK 2007                         2007 © The OpenCiphers Project
Real-time Attack

      And then the output is xor'ed with the plaintext





    ClubHACK 2007                         2007 © The OpenCiphers Project
Real-time Attack

      Using known-plaintext you can reduce the


      keyspace by brute forcing R1/R2 and calculating
      a matching R3 using the plaintext as parity




    ClubHACK 2007                       2007 © The OpenCiphers Project
Real-time Attack

      Output bits are related to register bits





    ClubHACK 2007                          2007 © The OpenCiphers Project
Real-time Attack

      Must essentially brute force the clock bits





    ClubHACK 2007                         2007 © The OpenCiphers Project
Real-time Attack

      Certain clock bit possibilities can be initially ruled


      out by looking at registers that don't get clocked
      and output doesn't match




    ClubHACK 2007                           2007 © The OpenCiphers Project
Real-time Attack

      After a while certain possibilities can be ruled out


      by clock bits not matching output




    ClubHACK 2007                          2007 © The OpenCiphers Project
Real-time Attack

      And possibilities can be ruled out once the tap


      bits are computed and propagate up the registers




    ClubHACK 2007                       2007 © The OpenCiphers Project
Real-time Attack

      With enough known-plaintext you will be able to


      resolve all possible R1/R2 down to a valid R3




    ClubHACK 2007                       2007 © The OpenCiphers Project
Results

      FPGA code requires around 6000 clock cycles for


      each R1/R2 state
      100 cores at 100MHz will do 1.6M per sec



      One FPGA will crack key in 15 days



      100 FPGAs will crack in 3.6 hours



      PCs will take a really long time (~2,000 times


      slower)
      (code is free and available if you want to offload it


      to your botnet ;-)




    ClubHACK 2007                          2007 © The OpenCiphers Project
Real-time Attack

      Once the internal state of A5/1 is derived you can


      reverse clock A5/1 back to the state after the key
      is mixed in




    ClubHACK 2007                        2007 © The OpenCiphers Project
Real-time Attack

      To reverse A5/1 you calculate the only states for


      the clocking bits that are possible




    ClubHACK 2007                        2007 © The OpenCiphers Project
Real-time Attack

      Eventually there are only a few possibilities left





    ClubHACK 2007                          2007 © The OpenCiphers Project
Real-time attack

      This can be done quickly in software


            Because there are multiple possible states you need
        

            multiple packets to locate the correct state
            2 packets is enough, we happen to have 4
        


            Calculate the possible initial states for 2 packets
        


            Find the possible state that's common between the two
        




    ClubHACK 2007                               2007 © The OpenCiphers Project
Decrypting Packets

      If you have the A5/1 state after the key is mixed in



      It is the same as having the key



      You can mix in any frame number and generate


      the proper A5/1 output to xor to any ciphertext or
      plaintext




    ClubHACK 2007                         2007 © The OpenCiphers Project
Pre-computation Attack

      Reversing 64-bits of A5/1 output to 64-bits of A5/1


      internal state
            Essentially the same concept as a one-way function
        


            Rainbowtables are good at reversing one-way
        

            functions
            Decided to focus on building a table of 2^58
        


            1/64 chance of finding the key with a given packet
        


            We have 200 different 64-bit A5/1 outputs
        


            Good chance that we'll find the key
        




    ClubHACK 2007                               2007 © The OpenCiphers Project
Pre-computation Attack

      Time-space tradeoff basics


            You have a one-way function
        




                        in                out




    ClubHACK 2007                               2007 © The OpenCiphers Project
Pre-computation Attack

      Time-space tradeoff basics


            You have a one-way function
        


            You need to find the in that created an out
        




                         in                     out




    ClubHACK 2007                                     2007 © The OpenCiphers Project
Pre-computation Attack

      Naïve implementation


            Pre-computation
        

                 Compute and store all possible in/out's
             


            Real-time
        

                 Search through table until you find your out, it's in is the key
             




                              in                           out




                                   0   8
                                   1   2
                                   2   5
                                   3   1



    ClubHACK 2007                                                2007 © The OpenCiphers Project
Pre-computation Attack

         Basic time-space tradeoff implementation


             Pre-computation
         

                  Compute an in -> out, and then take the out and compute
              

                  another out, etc. (using a “reduction function”)
                  Just store the start and end values of the chain
              




    in                              R(out)                 R(out)              ...




                                0        8
                                1        2
                                2        5
                                3        1
    ClubHACK 2007                                         2007 © The OpenCiphers Project
Pre-computation Attack

        Basic time-space tradeoff implementation
  

              Real-time
          

                   To reverse a hash, you compute a chain for your out value and
               

                   compare all out values with all of the end points in your table
                   When you find a matching one, compute a chain from it's start
               

                   value
                   Your in will be right before your out in its chain
               




My out                               R(out)                   R(out)              ...

                                       ?
                       ?                           ?           ?

                                 0         8
                                 1         2
                                                                                        out
                                 2         5
                                 3         1
      ClubHACK 2007                                          2007 © The OpenCiphers Project
Pre-computation Attack

      Problems with time-space tradeoff


            Algorithms have collisions (especially when you're
        

            mapping output to input which have differing entropy)
            Collisions cause chains to merge or loop
        


            Different algorithms are used to mitigate this
        




    ClubHACK 2007                                2007 © The OpenCiphers Project
Pre-computation Attack

      Different time-space tradeoff algorithms


            Basic
        

                 Use a different reduction function for different tables
             


                 Increase the amount of tables you have depending on how
             

                 collision prone your algorithm is
            Distinguished Points
        

                 Instead of having all of your chains be the same length you
             

                 stop when you see a certain pattern of bits
                 You can detect collisions and reject chains by looking for other
             

                 chains that end in the same distinguished point
            Rainbow
        

                 Use a different reduction function for each stage of the chain
             


                 Requires more real-time computation
             




    ClubHACK 2007                                           2007 © The OpenCiphers Project
Pre-computation Attack

      Distinguished Points


            We first assumed that it wasn't very collision prone
        


            Turned out we were wrong
        


            Very efficient on FPGAs because it requires really low
        

            bandwidth and table lookups
            Can be used to speed up the real-time lookup phase
        


            Requires lots of tweaking to find the right parameters to
        

            provide the least number of collisions and loops




    ClubHACK 2007                                  2007 © The OpenCiphers Project
Pre-computation Attack

      Rainbow tables


            Provides the best collision resistance
        


            Requires a lot of real-time computation
        

             n(n+1)/2 * chain_length
            The real-time computation can be done on an FPGA
        

            (not as well as DP attack)
            Best attack parameters we could come up with
        

                 Requires 5TB of disk storage
             


                 Can reverse a key in 5 min with 1 FPGA
             


                 Multiple FPGAs can be used to parallelize cracking multiple
             

                 keys
            You can adjust table to use less storage and require
        

            more time


    ClubHACK 2007                                         2007 © The OpenCiphers Project
Pre-computation Attack

      Final Analysis


            Talked to Elad Barkan
        


            Distinguished Points was the best solution
        


            Had to reduce chain length to provide the best
        

            collision/loop resistance (average length of 2^19)
            Used a different reduction function for each table
        


            Provides around 40% coverage (rainbow table
        

            provided only ~20%)
            Still deciding on the best parameters for the tables
        




    ClubHACK 2007                                  2007 © The OpenCiphers Project
Pre-computation Attack

      Limiting factor right now is pre-computation


            Computing 2^58 requires ~ 100 FPGAs running for 2
        

            months (6,000 times slower on PCs)
            We have a cluster of 70 FPGAs ready to start
        

            computing
            Once the parameters are finalized we'll be able to
        

            compute a full table in ~3 months
            Will be the largest rainbowtable ever built
        

                 Typical Lanman rainbowtables cover 2^36 at most
             


                 This will be 4 million times larger
             


            Resulting table will be 2TB
        




    ClubHACK 2007                                       2007 © The OpenCiphers Project
Real-time Attack

      Result


            Because of hard drive access time it will need to be
        

            spread across multiple hard drives
            6 hard drives and 1 FPGA will crack a conversation in
        

            ~30 min
            Double the hard drives and FPGAs to halve the time
        


            32 FPGAs and a network of 200 PCs will crack a
        

            conversation in < 1 minute




    ClubHACK 2007                                2007 © The OpenCiphers Project
FPGA Implementation

      Implementation


            Implemented A5/1 as a 64-stage pipeline
        


            Much more efficient than state-machines
        


            Get 1 A5/1 per clock cycle
        


            Output is looped back into the input (after reduction
        

            function is applied) until the last 19 bits are 0
            Results are written to BlockRAM which is polled by the
        

            PC
            Each core runs at 200MHz and 5 cores fit on an LX50
        


            Total A5/1's/sec is 200,000,000 * 5 = 1,000,000,000
        


            Single CPU does around 150,000/sec
        




    ClubHACK 2007                                2007 © The OpenCiphers Project
Demo
The A5 Cracking Project

      Currently building 2TB table



      Will eventually build the 28TB table



      If you want to help, check out wiki.thc.org/gsm





    ClubHACK 2007                        2007 © The OpenCiphers Project
Hardware

      Pico E-16


            ExpressCard 34
        

                 2.5Gbps full-duplex
             


            Virtex-5 LX50
        


            32MB SRAM
        


            External ExpressCard Chip
        




    ClubHACK 2007                       2007 © The OpenCiphers Project
Hardware

      E-16 SuperCluster


            Up to 77 E-16's
        


            2 Quad-core Xeon's
        


            8GB of RAM
        


            6TB HDD Space
        




             Equivalent computing
             power of ~400,000 CPUs
             for cracking A5/1




    ClubHACK 2007                     2007 © The OpenCiphers Project
Conclusion

      Get an FPGA and start cracking!
  


      Make use if your hardware to break crypto
  


      <64-bit just doesn't cut it anymore
  


      Choose bad passwords (please!)
  




ClubHACK 2007                         2007 © The OpenCiphers Project
Thanks

      Aaron Peterson (wicrawl)
  


      The Church of WiFi (CoWPAtty)
  


      Jacob Appelbaum & Ralf-Philip Weinmann
  

      (FileVault)
      Thierry Zoller & Eric Sesterhenn (BTCrack)
  


      Steve, Josh, & The Hacker's Choice Cr3w
  


      (A5 Cracking Project)
      The Shmoo Group (bittorrent seeding)
  


      Viewers like you
  




ClubHACK 2007                          2007 © The OpenCiphers Project
Questions?

      David Hulton
  


          david@toorcon.org
      


          http://openciphers.sf.net
      


          http://www.picocomputing.com
      


          http://www.toorcon.org
      




ClubHACK 2007                            2007 © The OpenCiphers Project

Más contenido relacionado

La actualidad más candente

Altera Cyclone IV FPGA Customer Presentation
Altera Cyclone IV FPGA Customer PresentationAltera Cyclone IV FPGA Customer Presentation
Altera Cyclone IV FPGA Customer PresentationAltera Corporation
 
Kernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Kernel Recipes 2017 - The Serial Device Bus - Johan HovoldKernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Kernel Recipes 2017 - The Serial Device Bus - Johan HovoldAnne Nicolas
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Shinya Takamaeda-Y
 
Kernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Kernel Recipes 2017 - What's inside the input stack? - Benjamain TissoiresKernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Kernel Recipes 2017 - What's inside the input stack? - Benjamain TissoiresAnne Nicolas
 
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Michelle Holley
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerAnne Nicolas
 
DPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'DriscollDPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'DriscollJim St. Leger
 
Video Gateway Installation and configuration
Video Gateway Installation and configurationVideo Gateway Installation and configuration
Video Gateway Installation and configurationsreeharsha43
 
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTELA Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTELWalton Institute
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Chapter 21 : DHCP
Chapter 21 : DHCPChapter 21 : DHCP
Chapter 21 : DHCPteknetir
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasteriskKing Asterisk
 
Silicon scanners cambridge report
Silicon scanners cambridge reportSilicon scanners cambridge report
Silicon scanners cambridge reportLiberteks
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaAnne Nicolas
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 

La actualidad más candente (19)

Altera Cyclone IV FPGA Customer Presentation
Altera Cyclone IV FPGA Customer PresentationAltera Cyclone IV FPGA Customer Presentation
Altera Cyclone IV FPGA Customer Presentation
 
Kernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Kernel Recipes 2017 - The Serial Device Bus - Johan HovoldKernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Kernel Recipes 2017 - The Serial Device Bus - Johan Hovold
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
 
Kernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Kernel Recipes 2017 - What's inside the input stack? - Benjamain TissoiresKernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Kernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
 
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
DPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'DriscollDPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'Driscoll
 
Video Gateway Installation and configuration
Video Gateway Installation and configurationVideo Gateway Installation and configuration
Video Gateway Installation and configuration
 
Intel galileo
Intel galileoIntel galileo
Intel galileo
 
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTELA Path to NFV/SDN - Intel. Michael Brennan, INTEL
A Path to NFV/SDN - Intel. Michael Brennan, INTEL
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Chapter 21 : DHCP
Chapter 21 : DHCPChapter 21 : DHCP
Chapter 21 : DHCP
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasterisk
 
Silicon scanners cambridge report
Silicon scanners cambridge reportSilicon scanners cambridge report
Silicon scanners cambridge report
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIP
 
Day 13.1 startingaswitch
Day 13.1 startingaswitchDay 13.1 startingaswitch
Day 13.1 startingaswitch
 

Destacado

OctoberEmbargoConference51
OctoberEmbargoConference51OctoberEmbargoConference51
OctoberEmbargoConference51guest66dc5f
 
Global Warming
Global WarmingGlobal Warming
Global Warmingeterzian
 
GPOExpress_Training
GPOExpress_TrainingGPOExpress_Training
GPOExpress_Trainingguest66dc5f
 
SB_Sat_Leagues_Registration
SB_Sat_Leagues_RegistrationSB_Sat_Leagues_Registration
SB_Sat_Leagues_Registrationguest66dc5f
 
ACAD Golf Leaflet
ACAD Golf LeafletACAD Golf Leaflet
ACAD Golf Leafletguest66dc5f
 
Freaky car number plates
Freaky car number platesFreaky car number plates
Freaky car number platesguest66dc5f
 

Destacado (8)

authors
authorsauthors
authors
 
OctoberEmbargoConference51
OctoberEmbargoConference51OctoberEmbargoConference51
OctoberEmbargoConference51
 
NR-golf-sept07
NR-golf-sept07NR-golf-sept07
NR-golf-sept07
 
Global Warming
Global WarmingGlobal Warming
Global Warming
 
GPOExpress_Training
GPOExpress_TrainingGPOExpress_Training
GPOExpress_Training
 
SB_Sat_Leagues_Registration
SB_Sat_Leagues_RegistrationSB_Sat_Leagues_Registration
SB_Sat_Leagues_Registration
 
ACAD Golf Leaflet
ACAD Golf LeafletACAD Golf Leaflet
ACAD Golf Leaflet
 
Freaky car number plates
Freaky car number platesFreaky car number plates
Freaky car number plates
 

Similar a David-FPGA

David - Fpga - ClubHack2007
David - Fpga  - ClubHack2007David - Fpga  - ClubHack2007
David - Fpga - ClubHack2007ClubHack
 
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584]
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584] Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584]
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584] David Buck
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
AlgorithmStatus2005FEB
AlgorithmStatus2005FEBAlgorithmStatus2005FEB
AlgorithmStatus2005FEBBo Lin
 
Edje Project: The Software Foundation for IoT Devices
Edje Project: The Software Foundation for IoT DevicesEdje Project: The Software Foundation for IoT Devices
Edje Project: The Software Foundation for IoT DevicesMicroEJ
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linaro
 
Resume_DigitalIC_1
Resume_DigitalIC_1Resume_DigitalIC_1
Resume_DigitalIC_1Eunice Chen
 
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...Edureka!
 
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Kondal Kolipaka
 
Build an Open Hardware GNU/Linux PowerPC Notebook
Build an Open Hardware GNU/Linux PowerPC NotebookBuild an Open Hardware GNU/Linux PowerPC Notebook
Build an Open Hardware GNU/Linux PowerPC NotebookRoberto Innocenti
 
Ccna prep ip subnetting from networkers
Ccna prep  ip subnetting from networkersCcna prep  ip subnetting from networkers
Ccna prep ip subnetting from networkersJerome Luison
 
Introducing the Arduino
Introducing the ArduinoIntroducing the Arduino
Introducing the ArduinoCharles A B Jr
 
S5429_LanceBrown
S5429_LanceBrownS5429_LanceBrown
S5429_LanceBrownLance Brown
 
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7Criteo Labs Infrastructure Tech Talk Meetup Nov. 7
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7Shuo LI
 
Crypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsCrypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsHannes Tschofenig
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016Susan Potter
 
pcDuino Presentation at SparkFun
pcDuino Presentation at SparkFunpcDuino Presentation at SparkFun
pcDuino Presentation at SparkFunJingfeng Liu
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 

Similar a David-FPGA (20)

David - Fpga - ClubHack2007
David - Fpga  - ClubHack2007David - Fpga  - ClubHack2007
David - Fpga - ClubHack2007
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
 
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584]
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584] Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584]
Let’s Write Our Own Chip-8 Interpreter! [JavaOne 2017 CON3584]
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
AlgorithmStatus2005FEB
AlgorithmStatus2005FEBAlgorithmStatus2005FEB
AlgorithmStatus2005FEB
 
Edje Project: The Software Foundation for IoT Devices
Edje Project: The Software Foundation for IoT DevicesEdje Project: The Software Foundation for IoT Devices
Edje Project: The Software Foundation for IoT Devices
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
 
Resume_DigitalIC_1
Resume_DigitalIC_1Resume_DigitalIC_1
Resume_DigitalIC_1
 
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...
Raspberry Pi 3 Tutorial | Raspberry Pi 3 Projects | IoT Projects | IoT Tutori...
 
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
 
Build an Open Hardware GNU/Linux PowerPC Notebook
Build an Open Hardware GNU/Linux PowerPC NotebookBuild an Open Hardware GNU/Linux PowerPC Notebook
Build an Open Hardware GNU/Linux PowerPC Notebook
 
Ccna prep ip subnetting from networkers
Ccna prep  ip subnetting from networkersCcna prep  ip subnetting from networkers
Ccna prep ip subnetting from networkers
 
Introducing the Arduino
Introducing the ArduinoIntroducing the Arduino
Introducing the Arduino
 
PNETLab.pdf
PNETLab.pdfPNETLab.pdf
PNETLab.pdf
 
S5429_LanceBrown
S5429_LanceBrownS5429_LanceBrown
S5429_LanceBrown
 
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7Criteo Labs Infrastructure Tech Talk Meetup Nov. 7
Criteo Labs Infrastructure Tech Talk Meetup Nov. 7
 
Crypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsCrypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M Processors
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
 
pcDuino Presentation at SparkFun
pcDuino Presentation at SparkFunpcDuino Presentation at SparkFun
pcDuino Presentation at SparkFun
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 

Más de guest66dc5f

Os Timed Original
Os Timed OriginalOs Timed Original
Os Timed Originalguest66dc5f
 
Control your entire house with your iPhone
Control your entire house with your iPhoneControl your entire house with your iPhone
Control your entire house with your iPhoneguest66dc5f
 
Awesome car collection
Awesome car collectionAwesome car collection
Awesome car collectionguest66dc5f
 
Sunil-Hacking_firefox
Sunil-Hacking_firefoxSunil-Hacking_firefox
Sunil-Hacking_firefoxguest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_LawWHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_Lawguest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_lawsRohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_lawsguest66dc5f
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toasterguest66dc5f
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
Varun-Subtle_Security_flaws
Varun-Subtle_Security_flawsVarun-Subtle_Security_flaws
Varun-Subtle_Security_flawsguest66dc5f
 
longisland_golf_07
longisland_golf_07longisland_golf_07
longisland_golf_07guest66dc5f
 
GolfLakeCity_002
GolfLakeCity_002GolfLakeCity_002
GolfLakeCity_002guest66dc5f
 
Greg Wells - Golf Warm Up
Greg Wells - Golf Warm UpGreg Wells - Golf Warm Up
Greg Wells - Golf Warm Upguest66dc5f
 
2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Presguest66dc5f
 

Más de guest66dc5f (20)

Os Timed Original
Os Timed OriginalOs Timed Original
Os Timed Original
 
Control your entire house with your iPhone
Control your entire house with your iPhoneControl your entire house with your iPhone
Control your entire house with your iPhone
 
Awesome car collection
Awesome car collectionAwesome car collection
Awesome car collection
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
Sunil-Hacking_firefox
Sunil-Hacking_firefoxSunil-Hacking_firefox
Sunil-Hacking_firefox
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_LawWHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_Law
 
Rohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_lawsRohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_laws
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
Varun-Subtle_Security_flaws
Varun-Subtle_Security_flawsVarun-Subtle_Security_flaws
Varun-Subtle_Security_flaws
 
CostofWarinIraq
CostofWarinIraqCostofWarinIraq
CostofWarinIraq
 
NR-golf-sept07
NR-golf-sept07NR-golf-sept07
NR-golf-sept07
 
golf
golfgolf
golf
 
longisland_golf_07
longisland_golf_07longisland_golf_07
longisland_golf_07
 
GolfLakeCity_002
GolfLakeCity_002GolfLakeCity_002
GolfLakeCity_002
 
Greg Wells - Golf Warm Up
Greg Wells - Golf Warm UpGreg Wells - Golf Warm Up
Greg Wells - Golf Warm Up
 
2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres
 

Último

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Último (20)

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

David-FPGA

  • 1. Faster P wninG A ssured: New Adventures with FPGAs ClubHACK 2007 David Hulton <david@ toorcon.org> Chairman, ToorCon Director Security Applications, Pico Computing, Inc. Researcher, The OpenCiphers Project Midnight Research Labs The Church of W iFi The Hacker's Choice
  • 2. Overview FPGAs – Quick Intro  New to 2007! (Since Last Defcon)  CoWPAtty – WPA Cracking  VileFault – Mac OS-X FileVault  New Cracking Tools! (Since ShmooCon)  BTCrack – Bluetooth Authentication  WinZipCrack – WinZip AES Encryption  The A5 Cracking Project – GSM Encryption  Conclusions  ClubHACK 2007 2007 © The OpenCiphers Project
  • 3. FPGAs ClubHACK 2007 2007 © The OpenCiphers Project
  • 4. FPGAs ClubHACK 2007 2007 © The OpenCiphers Project
  • 5. FPGAs Quick Intro  Chip with a ton of general purpose logic  ANDs, ORs, XORs  FlipFlops (Registers)  BlockRAM (Cache)  DSP48’s (ALUs)  DCMs (Clock Multipliers)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 6. FPGAs Virtex-4 LX25  ClubHACK 2007 2007 © The OpenCiphers Project
  • 7. FPGAs Virtex-4 LX25  IOBs (448)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 8. FPGAs Virtex-4 LX25  IOBs  Slices (10,752)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 9. FPGAs Virtex-4 LX25  IOBs  Slices  DCMs (8)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 10. FPGAs Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs (72)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 11. FPGAs Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs  DSP48s (48)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 12. FPGAs Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs  DSP48s  Programmable Routing Matrix  (~18 layers) ClubHACK 2007 2007 © The OpenCiphers Project
  • 13. Introduction to WPA WiFi Protected Access  ClubHACK 2007 2007 © The OpenCiphers Project
  • 14. Introduction to WPA PSK  MK is your passphrase  It’s run through PBKDF2  to generate the PMK ClubHACK 2007 2007 © The OpenCiphers Project
  • 15. Introduction to WPA PSK  MK is your passphrase  It’s run through PBKDF2  to generate the PMK ClubHACK 2007 2007 © The OpenCiphers Project
  • 16. Introduction to WPA PSK  MK is your passphrase  It’s run through PBKDF2  to generate the PMK ClubHACK 2007 2007 © The OpenCiphers Project
  • 17. Introduction to WPA For every possible PMK compute PTK and see if it  matches the handshake captured on the network ClubHACK 2007 2007 © The OpenCiphers Project
  • 18. FPGA coWPAtty Uses 8 SHA-1 Cores   Uses BlockRAM to buffer the words fed to the cores  As long as the machine is able to supply words fast enough, the SHA-1 cores will be utilized fully ClubHACK 2007 2007 © The OpenCiphers Project
  • 19. Performance Comparison FPG A PC Cowpatty Cowpatty LX25 ~430/sec 800MHz P3 ~25/sec 1 5 Cluster ~6,500/sec 3.6GHz P4 ~60/sec LX50 ~650/sec AMD Opteron ~70/sec 2.16GHz IntelDuo ~70/sec Aircrack 3.6GHz P4 ~100/sec ClubHACK 2007 2007 © The OpenCiphers Project
  • 20. Results Decided to compute hash tables for a 1,000,000  passphrase wordlist for the top 1,000 SSIDs “That million word list that I fed you incorporated a 430,000 word list from Mark Burnett and Kevin Mitnick (of all people) and was made up of actual harvested passwords acquired through some google hacking. They are passwords that people have actually used. I padded it out to 1 million by adding things like websters dictionary, and other such lists, and then stripped the short word (<8 chars.) out of it.” ClubHACK 2007 2007 © The OpenCiphers Project
  • 21. Results Finally have the 40GB WPA tables on the tubes   Thanks Shmoo! (3ricJ & Holt!)  Check the Torrent trackers for seeds  CoWPAtty FPGA support has recently been added to wicrawl ClubHACK 2007 2007 © The OpenCiphers Project
  • 22. Demo
  • 23. Bluetooth PIN Cracking Pairing bluetooth devices is similar to wifi  authentication Why not crack the bluetooth PIN?  Uses a modified version of SAFER+  SAFER+ inherently runs much faster in  hardware Attack originally explained and published by  Yaniv Shaked and Avishai Wool Thierry Zoller originally demonstrated his  implementation at hack.lu ClubHACK 2007 2007 © The OpenCiphers Project
  • 24. Bluetooth PIN Cracking How it works  Capture a bluetooth authentication  (sorry, requires an expensive protocol analyzer) This is what you'll see  Master Slave in_rand master sends a random nonce m_comb_key s_comb_key sides create key based on the pin m_au_rand master sends random number s_res slave hashes with E1 and replies s_au_rand slave sends random number m_sres master hashes with E1 and replies ClubHACK 2007 2007 © The OpenCiphers Project
  • 25. Bluetooth PIN Cracking Just try a PIN and if the hashes match the  capture, it is correct Extremely small keyspace since most devices just  use numeric PINs (1016) My implementation is command line and should  work on all systems with or without FPGA(s) ClubHACK 2007 2007 © The OpenCiphers Project
  • 26. Bluetooth PIN Cracking FPGA Implementation  Requires implementations of E21, E22, and E1 which  all rely on SAFER+ Uses 16-stage pipeline version of SAFER+ which feeds  back into itsself after each stage To explain, here's some psuedocode  ClubHACK 2007 2007 © The OpenCiphers Project
  • 27. Bluetooth PIN Cracking for(pin = 0; ; pin++) { Kinit = E22(pin, s_bd_addr, in_rand); // determine initialization key m_comb_key ^= Kinit; // decrypt comb_keys s_comb_key ^= Kinit; m_lk = E21(m_comb_key, m_bd_addr); // determine link key s_lk = E21(s_comb_key, s_bd_addr); lk = m_lk ^ s_lk; m_sres_t = E1(lk, s_au_rand, m_bd_addr); // verify authentication s_sres_t = E1(lk, m_au_rand, s_bd_addr); if(m_sres_t == m_sres && s_sres_t == s_sres) found! } ClubHACK 2007 2007 © The OpenCiphers Project
  • 28. Bluetooth PIN Cracking for(pin = 0; ; pin++) { Kinit = E22(pin, s_bd_addr, in_rand); // determine initialization key m_comb_key ^= Kinit; // decrypt comb_keys s_comb_key ^= Kinit; m_lk = E21(m_comb_key, m_bd_addr); // determine link key s_lk = E21(s_comb_key, s_bd_addr); lk = m_lk ^ s_lk; m_sres_t = E1(lk, s_au_rand, m_bd_addr); // verify authentication s_sres_t = E1(lk, m_au_rand, s_bd_addr); if(m_sres_t == m_sres && s_sres_t == s_sres) found! } ClubHACK 2007 2007 © The OpenCiphers Project
  • 29. Bluetooth PIN Cracking E22 16 PINs PIN Gen SAFER+ ClubHACK 2007 2007 © The OpenCiphers Project
  • 30. Bluetooth PIN Cracking E21 16 clock cycles later PIN Gen SAFER+ Output loops back and SAFER+ now does E21 for the Master ClubHACK 2007 2007 © The OpenCiphers Project
  • 31. Bluetooth PIN Cracking E21 16 clock cycles later PIN Gen SAFER+ Then does the second E21 for the Slave and combines the keys to create the link key ClubHACK 2007 2007 © The OpenCiphers Project
  • 32. Bluetooth PIN Cracking E1 16 clock cycles later PIN Gen SAFER+ Then the first part of E1 for the Slave ClubHACK 2007 2007 © The OpenCiphers Project
  • 33. Bluetooth PIN Cracking E1 16 clock cycles later PIN Gen SAFER+ Then the second part of E1 for the Slave ClubHACK 2007 2007 © The OpenCiphers Project
  • 34. Bluetooth PIN Cracking E1 16 clock cycles later PIN Gen SAFER+ Then the first part of E1 for the Master ClubHACK 2007 2007 © The OpenCiphers Project
  • 35. Bluetooth PIN Cracking E1 16 clock cycles later PIN Gen SAFER+ Then the second part of E1 for the Master ClubHACK 2007 2007 © The OpenCiphers Project
  • 36. Bluetooth PIN Cracking E22 16 clock cycles later PIN Gen SAFER+ SRES Compare N Y Stop Then checks all of the sres values to see if any match while the process starts over ClubHACK 2007 2007 © The OpenCiphers Project
  • 37. Bluetooth PIN Cracking If the cracker stops the computer reads back  the last generated PIN from the pin generator to determine what the valid PIN was The last generated PIN – 16 should be the  cracked PIN I built a commandline version  Thierry Zoller integrated support into BTCrack  I added some hollywood FX !  ClubHACK 2007 2007 © The OpenCiphers Project
  • 38. Performance Comparison PC FPGA btpincrack btpincrack 3.6GHz P4 ~40,000/sec LX25 ~7,000,000/sec 15 Cluster ~105,000,000/sec LX50 ~10,000,000/sec BTCrack 3.6GHz P4 ~100,000/sec 0.001 secs to crack 4 digit 0.24 secs to crack 4 digit 10 secs to crack 8 digit 42 min to crack 8 digit ClubHACK 2007 2007 © The OpenCiphers Project
  • 39. Demo
  • 40. WinZip AES Encryption Somewhat proprietary standard  No open source code available (until now!)  Format  Uses the standard ZIP format  Adds a new compression type (99)  Uses PBKDF2 (1000 iterations) for key derivation  Individual files can be encrypted inside the ZIP file  Supports 128/192/256-bit key lengths  Uses a 16-bit verification value to verify passwords  Otherwise you verify by using the checksum  Uses a salt (sorry, can't do a dictionary attack!)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 41. WinZip AES Encryption Cracking algorithm  Scan through ZIP file until you find the encrypted file  Get the 16-bit password verification value  Hash a password with PBKDF2 and see if the  verification value matches No – Try next password  Yes – Decrypt file and see if checksum matches   No – Try next password  Yes – Password found! ClubHACK 2007 2007 © The OpenCiphers Project
  • 42. WinZip AES Encryption Uses the same PBKDF2 core as the WPA and  FileVault cracking code Requires extra iterations for longer key lengths  Tool takes a ZIP file, encrypted file name, and  dictionary file as input ClubHACK 2007 2007 © The OpenCiphers Project
  • 43. Performance Comparison PC FPGA winzipcrack winzipcrack 800MHz P3 ~100/sec LX25 ~2,000/sec 3.6GHz P4 ~180/sec LX50 ~6,000/sec AMD Opteron ~200/sec 15 Cluster ~30,000/sec 2.16GHz IntelDuo ~200/sec ClubHACK 2007 2007 © The OpenCiphers Project
  • 44. Demo
  • 45. VileFault “FileVault secures your home directory by  encrypting its entire contents using the Advanced Encryption Standard with 128- bit keys. This high-performance algorithm automatically encrypts and decrypts in real time, so you don’t even know it’s happening.” ClubHACK 2007 2007 © The OpenCiphers Project
  • 46. VileFault We wanted to know what was happening  ClubHACK 2007 2007 © The OpenCiphers Project
  • 47. VileFault Stores the home directory in a DMG file  DMG is mounted when you login  hdi framework handles everything  Blocks get encrypted in 4kByte “chunks” AES-  128, CBC mode Keys are encrypted (“wrapped”) in header of  disk image Wrapping of keys done using 3DES-EDE  Two different header formats (v1, v2)  Version 2 header: support for asymmetrically  (RSA) encrypted header ClubHACK 2007 2007 © The OpenCiphers Project
  • 48. VileFault Apple's FileVault  Uses PBKDF2 for the password hashing  Modified version of the WPA attack can be used  to attack FileVault Just modified the WPA core to 1000 iterations  instead of 4096 Worked with Jacob Appelbaum & Ralf-Philip  Weinmann to reverse engineer the FileVault format and encryption ClubHACK 2007 2007 © The OpenCiphers Project
  • 49. VileFault Login password used to derive key for  unwrapping PBKDF2 (PKCS#5 v2.0), 1000 iterations  Crypto parts implemented in CDSA/CSSM  DiskImages has own AES implementation,  pulls in SHA-1 from OpenSSL dylib “Apple custom” key wrapping loosely  according to RFC 2630 in Apple's CDSA provider (open source) ClubHACK 2007 2007 © The OpenCiphers Project
  • 50. VileFault vfdecrypt (Ralf Philip-Weinmann & Jacob Appelbaum)  Will use the same method with a correct password to  decrypt the DMG file and output an unencrypted DMG file Result can be mounted on any system without a  password vfcrack (me!)  Unwrap the header  Use header to run PBKDF2 with possible passphrases  Use PBKDF2 hash to try and decrypt the AES key, if it  doesn't work, try next passphrase With the AES key decrypt the beginning of the DMG file  and verify the first sector is correct (only needed with v2) ClubHACK 2007 2007 © The OpenCiphers Project
  • 51. VileFault Other attacks  Swap  The key can get paged to disk (whoops!)  Encrypted swap isn't enabled by default  Hibernation  You can extract the FileVault key from a hibernation file  Ring-0 code can find the key in memory  Weakest Link  The password used for the FileVault image is the same as  your login password Salted SHA-1 is much faster to crack than PBKDF2 (1  iteration vs 1000) The RSA key is easier to crack than PBKDF2  ClubHACK 2007 2007 © The OpenCiphers Project
  • 52. Performance Comparison PC FPGA vfcrack vfcrack 800MHz P3 ~100/sec LX25 ~2,000/sec 3.6GHz P4 ~180/sec LX50 ~6,000/sec AMD Opteron ~200/sec 15 Cluster ~30,000/sec 2.16GHz IntelDuo ~200/sec ClubHACK 2007 2007 © The OpenCiphers Project
  • 53. Demo
  • 54. The A5 Cracking Project Capturing GSM Traffic  GNU Radio USRP board ($900 USD)  We developed software to decode GSM  Lets you fire up wireshark on a GSM channel  Can sometimes capture SMS messages  Couldn't capture voice calls :-(  We wanted to change that  ClubHACK 2007 2007 © The OpenCiphers Project
  • 55. The A5 Cracking Project Luckily you don't need to break crypto  India  IDEA - A5/0  AirTel - A5/0  Essar - A5/0  Orange - A5/0  Dolphin - A5/0  ClubHACK 2007 2007 © The OpenCiphers Project
  • 56. The A5 Cracking Project Focusing on A5/1  Used widely throughout the US, Europe, and some  Asian countries The strongest algorithm for GSM (3G is better)  Looking at only practical attacks  Originally looked at ciphertext only attacks  Found out that there is a lot of known-plaintext  Known-plaintext attacks are a lot easier  Researched a few different attacks  Real-time attack with known-plaintext + FPGAs  Anderson & Roe / Keller + our mods  Pre-computation + less FPGAs  Biryukov, Shamir, & Wagner + our mods  ClubHACK 2007 2007 © The OpenCiphers Project
  • 57. Real-time Attack A register is clocked if it's clocking bit agrees with  the majority ClubHACK 2007 2007 © The OpenCiphers Project
  • 58. Real-time Attack First 64 clock cycles key is xor'ed with registers  here ClubHACK 2007 2007 © The OpenCiphers Project
  • 59. Real-time Attack Second, 22-bit frame number is xored in here  ClubHACK 2007 2007 © The OpenCiphers Project
  • 60. Real-time Attack Third, A5/1 is run for 100 clock cycles  ClubHACK 2007 2007 © The OpenCiphers Project
  • 61. Real-time Attack And then the output is xor'ed with the plaintext  ClubHACK 2007 2007 © The OpenCiphers Project
  • 62. Real-time Attack Using known-plaintext you can reduce the  keyspace by brute forcing R1/R2 and calculating a matching R3 using the plaintext as parity ClubHACK 2007 2007 © The OpenCiphers Project
  • 63. Real-time Attack Output bits are related to register bits  ClubHACK 2007 2007 © The OpenCiphers Project
  • 64. Real-time Attack Must essentially brute force the clock bits  ClubHACK 2007 2007 © The OpenCiphers Project
  • 65. Real-time Attack Certain clock bit possibilities can be initially ruled  out by looking at registers that don't get clocked and output doesn't match ClubHACK 2007 2007 © The OpenCiphers Project
  • 66. Real-time Attack After a while certain possibilities can be ruled out  by clock bits not matching output ClubHACK 2007 2007 © The OpenCiphers Project
  • 67. Real-time Attack And possibilities can be ruled out once the tap  bits are computed and propagate up the registers ClubHACK 2007 2007 © The OpenCiphers Project
  • 68. Real-time Attack With enough known-plaintext you will be able to  resolve all possible R1/R2 down to a valid R3 ClubHACK 2007 2007 © The OpenCiphers Project
  • 69. Results FPGA code requires around 6000 clock cycles for  each R1/R2 state 100 cores at 100MHz will do 1.6M per sec  One FPGA will crack key in 15 days  100 FPGAs will crack in 3.6 hours  PCs will take a really long time (~2,000 times  slower) (code is free and available if you want to offload it  to your botnet ;-) ClubHACK 2007 2007 © The OpenCiphers Project
  • 70. Real-time Attack Once the internal state of A5/1 is derived you can  reverse clock A5/1 back to the state after the key is mixed in ClubHACK 2007 2007 © The OpenCiphers Project
  • 71. Real-time Attack To reverse A5/1 you calculate the only states for  the clocking bits that are possible ClubHACK 2007 2007 © The OpenCiphers Project
  • 72. Real-time Attack Eventually there are only a few possibilities left  ClubHACK 2007 2007 © The OpenCiphers Project
  • 73. Real-time attack This can be done quickly in software  Because there are multiple possible states you need  multiple packets to locate the correct state 2 packets is enough, we happen to have 4  Calculate the possible initial states for 2 packets  Find the possible state that's common between the two  ClubHACK 2007 2007 © The OpenCiphers Project
  • 74. Decrypting Packets If you have the A5/1 state after the key is mixed in  It is the same as having the key  You can mix in any frame number and generate  the proper A5/1 output to xor to any ciphertext or plaintext ClubHACK 2007 2007 © The OpenCiphers Project
  • 75. Pre-computation Attack Reversing 64-bits of A5/1 output to 64-bits of A5/1  internal state Essentially the same concept as a one-way function  Rainbowtables are good at reversing one-way  functions Decided to focus on building a table of 2^58  1/64 chance of finding the key with a given packet  We have 200 different 64-bit A5/1 outputs  Good chance that we'll find the key  ClubHACK 2007 2007 © The OpenCiphers Project
  • 76. Pre-computation Attack Time-space tradeoff basics  You have a one-way function  in out ClubHACK 2007 2007 © The OpenCiphers Project
  • 77. Pre-computation Attack Time-space tradeoff basics  You have a one-way function  You need to find the in that created an out  in out ClubHACK 2007 2007 © The OpenCiphers Project
  • 78. Pre-computation Attack Naïve implementation  Pre-computation  Compute and store all possible in/out's  Real-time  Search through table until you find your out, it's in is the key  in out 0 8 1 2 2 5 3 1 ClubHACK 2007 2007 © The OpenCiphers Project
  • 79. Pre-computation Attack Basic time-space tradeoff implementation  Pre-computation  Compute an in -> out, and then take the out and compute  another out, etc. (using a “reduction function”) Just store the start and end values of the chain  in R(out) R(out) ... 0 8 1 2 2 5 3 1 ClubHACK 2007 2007 © The OpenCiphers Project
  • 80. Pre-computation Attack Basic time-space tradeoff implementation  Real-time  To reverse a hash, you compute a chain for your out value and  compare all out values with all of the end points in your table When you find a matching one, compute a chain from it's start  value Your in will be right before your out in its chain  My out R(out) R(out) ... ? ? ? ? 0 8 1 2 out 2 5 3 1 ClubHACK 2007 2007 © The OpenCiphers Project
  • 81. Pre-computation Attack Problems with time-space tradeoff  Algorithms have collisions (especially when you're  mapping output to input which have differing entropy) Collisions cause chains to merge or loop  Different algorithms are used to mitigate this  ClubHACK 2007 2007 © The OpenCiphers Project
  • 82. Pre-computation Attack Different time-space tradeoff algorithms  Basic  Use a different reduction function for different tables  Increase the amount of tables you have depending on how  collision prone your algorithm is Distinguished Points  Instead of having all of your chains be the same length you  stop when you see a certain pattern of bits You can detect collisions and reject chains by looking for other  chains that end in the same distinguished point Rainbow  Use a different reduction function for each stage of the chain  Requires more real-time computation  ClubHACK 2007 2007 © The OpenCiphers Project
  • 83. Pre-computation Attack Distinguished Points  We first assumed that it wasn't very collision prone  Turned out we were wrong  Very efficient on FPGAs because it requires really low  bandwidth and table lookups Can be used to speed up the real-time lookup phase  Requires lots of tweaking to find the right parameters to  provide the least number of collisions and loops ClubHACK 2007 2007 © The OpenCiphers Project
  • 84. Pre-computation Attack Rainbow tables  Provides the best collision resistance  Requires a lot of real-time computation  n(n+1)/2 * chain_length The real-time computation can be done on an FPGA  (not as well as DP attack) Best attack parameters we could come up with  Requires 5TB of disk storage  Can reverse a key in 5 min with 1 FPGA  Multiple FPGAs can be used to parallelize cracking multiple  keys You can adjust table to use less storage and require  more time ClubHACK 2007 2007 © The OpenCiphers Project
  • 85. Pre-computation Attack Final Analysis  Talked to Elad Barkan  Distinguished Points was the best solution  Had to reduce chain length to provide the best  collision/loop resistance (average length of 2^19) Used a different reduction function for each table  Provides around 40% coverage (rainbow table  provided only ~20%) Still deciding on the best parameters for the tables  ClubHACK 2007 2007 © The OpenCiphers Project
  • 86. Pre-computation Attack Limiting factor right now is pre-computation  Computing 2^58 requires ~ 100 FPGAs running for 2  months (6,000 times slower on PCs) We have a cluster of 70 FPGAs ready to start  computing Once the parameters are finalized we'll be able to  compute a full table in ~3 months Will be the largest rainbowtable ever built  Typical Lanman rainbowtables cover 2^36 at most  This will be 4 million times larger  Resulting table will be 2TB  ClubHACK 2007 2007 © The OpenCiphers Project
  • 87. Real-time Attack Result  Because of hard drive access time it will need to be  spread across multiple hard drives 6 hard drives and 1 FPGA will crack a conversation in  ~30 min Double the hard drives and FPGAs to halve the time  32 FPGAs and a network of 200 PCs will crack a  conversation in < 1 minute ClubHACK 2007 2007 © The OpenCiphers Project
  • 88. FPGA Implementation Implementation  Implemented A5/1 as a 64-stage pipeline  Much more efficient than state-machines  Get 1 A5/1 per clock cycle  Output is looped back into the input (after reduction  function is applied) until the last 19 bits are 0 Results are written to BlockRAM which is polled by the  PC Each core runs at 200MHz and 5 cores fit on an LX50  Total A5/1's/sec is 200,000,000 * 5 = 1,000,000,000  Single CPU does around 150,000/sec  ClubHACK 2007 2007 © The OpenCiphers Project
  • 89. Demo
  • 90. The A5 Cracking Project Currently building 2TB table  Will eventually build the 28TB table  If you want to help, check out wiki.thc.org/gsm  ClubHACK 2007 2007 © The OpenCiphers Project
  • 91. Hardware Pico E-16  ExpressCard 34  2.5Gbps full-duplex  Virtex-5 LX50  32MB SRAM  External ExpressCard Chip  ClubHACK 2007 2007 © The OpenCiphers Project
  • 92. Hardware E-16 SuperCluster  Up to 77 E-16's  2 Quad-core Xeon's  8GB of RAM  6TB HDD Space  Equivalent computing power of ~400,000 CPUs for cracking A5/1 ClubHACK 2007 2007 © The OpenCiphers Project
  • 93. Conclusion Get an FPGA and start cracking!  Make use if your hardware to break crypto  <64-bit just doesn't cut it anymore  Choose bad passwords (please!)  ClubHACK 2007 2007 © The OpenCiphers Project
  • 94. Thanks Aaron Peterson (wicrawl)  The Church of WiFi (CoWPAtty)  Jacob Appelbaum & Ralf-Philip Weinmann  (FileVault) Thierry Zoller & Eric Sesterhenn (BTCrack)  Steve, Josh, & The Hacker's Choice Cr3w  (A5 Cracking Project) The Shmoo Group (bittorrent seeding)  Viewers like you  ClubHACK 2007 2007 © The OpenCiphers Project
  • 95. Questions? David Hulton  david@toorcon.org  http://openciphers.sf.net  http://www.picocomputing.com  http://www.toorcon.org  ClubHACK 2007 2007 © The OpenCiphers Project