A German hacker named “Thomas Roth” used Amazon's cloud services to bust open SHA-1, a wireless network security standard. Moreover he will be demonstrating his process once again at an upcoming Black Hat get-together. Malevolent hackers could quickly set up brute-force attack systems using the cloud; however many critics say real-world password cracks might not come so easily. Hacker’s announcement about the utilization of cloud service to crack a wireless network security standard has left many security researchers scratching their heads and many still disbelieving the situation. This attack was launched against the SHA-1 hash algorithm.
It has been known since 2005 that the SHA-1 algorithm has some manufacture’s imperfection due to which National Institute of Standards and Technology is looking for substitute and wanted to replace it. According to Thomas Roth, “the SHA-1 algorithm is not fit for password hashing, and the compute power offered by cloud services makes it cheap and easy to launch brute-force attacks on passwords.
In his blog Roth described that for his attack he used a Cluster GPU instance from Amazon EC2. This has 22 GB of memory, two Intel Xeon X5570s using quad-core Nehalem architecture, two Nvidia Tesla Fermi M2050 GPUs and 1,690 GB of instance storage. This construction provides a 64-bit platform and uses 10 gigabit Ethernet for very high input and output performance. Using this platform, he cracked all hashes from a file for passwords one to six characters long in 49 minutes. However, Sophos security expert Paul Ducklin pointed out that Roth recovered 10 of 14 passwords on a challenge list while Ducklin recovered eight out of those 14 by merely using his Mac Book Pro, running in the background, in the same time.
Although SHA-1has many flaws but still it is one of the most widely used SHA, which has many functions. Many alternative versions like SHA-2 have been developed but they are too similar to SHA-1 algorithmically. In 2007, NIST launched a competition to develop a new hash standard, SHA-3. The winner will be selected in 2012.
To get a blog visit our website.
It has been known since 2005 that the SHA-1 algorithm has some manufacture’s imperfection due to which National Institute of Standards and Technology is looking for substitute and wanted to replace it. According to Thomas Roth, “the SHA-1 algorithm is not fit for password hashing, and the compute power offered by cloud services makes it cheap and easy to launch brute-force attacks on passwords.
In his blog Roth described that for his attack he used a Cluster GPU instance from Amazon EC2. This has 22 GB of memory, two Intel Xeon X5570s using quad-core Nehalem architecture, two Nvidia Tesla Fermi M2050 GPUs and 1,690 GB of instance storage. This construction provides a 64-bit platform and uses 10 gigabit Ethernet for very high input and output performance. Using this platform, he cracked all hashes from a file for passwords one to six characters long in 49 minutes. However, Sophos security expert Paul Ducklin pointed out that Roth recovered 10 of 14 passwords on a challenge list while Ducklin recovered eight out of those 14 by merely using his Mac Book Pro, running in the background, in the same time.
Although SHA-1has many flaws but still it is one of the most widely used SHA, which has many functions. Many alternative versions like SHA-2 have been developed but they are too similar to SHA-1 algorithmically. In 2007, NIST launched a competition to develop a new hash standard, SHA-3. The winner will be selected in 2012.
To get a blog visit our website.
No comments:
Post a Comment