Recovering Passwords with a GPU

[gamer210]

I came upon this this morning, and I thought I'd share it with y'all. Here's the link:

http://www.net-security.org/secworld.php?id=5567

Since most of my research focuses on security, I thought it was kind of interesting. People have been using FPGAs to brute for passwords for a while now, but using a GPU to brute force passwords would open things up to a whole new group of people. It would probably be faster, and cheaper, than using FPGAs depending on the GPU. When you think about it, passwords would just be the tip of the iceberg. If combined with Rainbow Tables, WPA keys could be cracked in a matter of hours or even minutes. WEP keys could be cracked in seconds. This shows lots of promise, so I guess I'll have to look into this some more.

Just some information from the self-proclaimed "TPU Security Guru."

P.S.
Mods, please feel free to move this if you think it would fit better somewhere else.

 

[Fuse-Wire]

well heres something for you " Security Guru" try and stop me with Kane n Able!!

 

[gamer210]

well heres something for you " Security Guru" try and stop me with Kane n Able!!

It's Cain & Abel, actually.

 

[Fuse-Wire]

Damn Yooooo!!!

 

[t_ski]

Interesting link. I've passed it on to my security teacher. We were just discussing effective passwords, rainbow tables and the like a couple weeks ago.

 

[GrapeApe]

Love how it's "recovering passwords"

I'm not convinced they should be given a patent, but don't doubt they will be given one by a technologically ignorant patent office.

It's simply another application of GPGPU to another computational problem, not anything truly exotically revolutionary. This would easily fall under "obvious" application of existing technology, and is already negated by the publication of prior art (see paragraph 3 example 3);
http://www.gpgpu.org/data/history.shtml
"The PixelFlow SIMD graphics computer [Eyles, et al. 1997] was used to crack UNIX password encryption [Kedem and Ishihara 1999],"

I don't doubt it will get a patent as so many things do and later get overturned, but it doesn't really deserve one IMNSHO.

Anywhoo, just another reason to use independent and non-traditional methods or cryptography and include at the very least substitution to reduce the effectiveness

 

[ex_reven]

Thats an interesting article.

 

[gamer210]

Love how it's "recovering passwords"

I'm not convinced they should be given a patent, but don't doubt they will be given one by a technologically ignorant patent office.

It's simply another application of GPGPU to another computational problem, not anything truly exotically revolutionary. This would easily fall under "obvious" application of existing technology, and is already negated by the publication of prior art (see paragraph 3 example 3);
http://www.gpgpu.org/data/history.shtml
"The PixelFlow SIMD graphics computer [Eyles, et al. 1997] was used to crack UNIX password encryption [Kedem and Ishihara 1999],"

I don't doubt it will get a patent as so many things do and later get overturned, but it doesn't really deserve one IMNSHO.

Anywhoo, just another reason to use independent and non-traditional methods or cryptography and include at the very least substitution to reduce the effectiveness

The cyphers that were broken in your example were RC4 and DES, which are not considered secure by any means. They have been broken for many years now. Where I think this would be most effective, would be in cases where more advanced cyphers, such as AES or Blowfish, are used. Also it is much, much cheaper. For example, I could buy a motherboard with 4 PCI-Express slots, install 4 cheap graphics cards, and use all of them to brute force passwords. All of this would still cost less than a good FPGA.

As for the patent process, I agree with you. U.S. patent law is really behind when it comes to matters of technology, and it really needs to be updated.

 

[GrapeApe]

Yes I agree this is definitely a new and very cost effective method for brute force for the general public, I think in reaction to it though people will step up their level of security because while the processing power to crack encryption improves, so usually does the opportunity to use more robust levels of encryption/decrryption. Contiual cat and mouse, the only problem is those wishing to compromise the system are usually more dedicated and motivated than those we need to convince to adopt/fund/use the strong methods/levels of encryption. I'm sure the usual dark places are fine, but I suspect corporate security will become more vulnerable as multi-VPU and even multi-core systems like Fusion/Larabbee become more common place and inexpensive to combine.

Yeah, and my criticism isn't towards the article so much as the patent just because I know a few people who work in this area of expertise in Montreal and we've discussed this before from both a GPGPU side and from a Distributed computing side, of course they're way out of my league because after anything more complex than triple DES my brain switches over to beer mode.