Infrastructure // Networking
News
11/19/2010
11:49 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hacker Cracks Secure Hashing Algorithm Using Amazon Cloud

Using EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

German security researcher Thomas Roth may have discovered the ultimate in DIY dictionary attacks: using on-demand computing power courtesy of the Amazon Elastic Compute Cloud (EC2) to crack the SHA1 secure hashing algorithm for just $2.10.

On Monday, Roth detailed his experiment in a blog post, spurred by Amazon's introduction of cluster GPU instances. "GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?" he said.

His answer, using a list of 14 hashes: "I was able to crack all hashes from this file with a password length from 1-6 in only 49 minutes." According to Roth, "this just shows one more time that SHA1 for password hashing is deprecated -- you really don't want to use it anymore."

SHA1, developed by the National Security Agency, is today's most widely used hashing algorithm. Is it now at risk of attack via Amazon EC2-renting hackers?

Thankfully, no. Paul Ducklin, the head of technology for Sophos in the Asia-Pacific region, said that real-world password schemes hash hashes of hashes, adding layers of complexity to make recovering the password as "computationally infeasible" as possible. The older Linux password system, for example, hashes the hashes of passwords 1,000 times, while the newer one uses 5,000 iterations, he said.

Accordingly, to attack a Linux password -- based on the old Linux password system -- "Ross would need 1,000 times longer -- and $2,000 to blow on Amazon -- because each password would require 1,000 times as many calculations to hash," he said.

Furthermore, Ross' experiment wasn't very computationally intensive by today's standards. Ducklin said that in the time it took Ross to recover 10 passwords from 14 hashes, he used his MacBook Pro to recover eight of them. "Big deal," he said.

In other words, SHA1 seems relatively safe for now. That said, it's slated for replacement due to concerns that it has an inherent cryptographic weakness. Accordingly, the National Institute of Standards and Technology (NIST) is currently holding a competition to design the more secure SHA3. NIST hopes to release the new standard by 2012.

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.