2018 IEEE 39th Sarnoff Symposium Modern Network Security Practices: Using Rainbow Tables to Solve Organizational Issues Christopher McMahon Xiaowen Zhang Computer Science Dept. Computer Science Dept. College of Staten Island, CUNY College of Staten Island, CUNY Staten Island, NY 11314, U.S.A. Staten Island, NY 11314, U.S.A. Email: [email protected] Email: [email protected] Abstract—The purpose of this case study analysis is to The rest of paper is organized as follows. In Section II, examine a non-traditional method of identifying weak pass- we briefly introduce some preliminary background on time- words within a large hospital organization. The process of memory trade-off attack, reduction and hash function, and using rainbow tables to crack passwords/ensure password rainbow tables. In Section III, we describe the four-step compliance is discussed and specific examples are provided method to crack passwords. We show experiment results in within this paper. This process emphasizes the notion that Section IV and conclude the paper in Section V. network security-related problems tend to be organization- specific and require creative approaches. The goal is to establish a practical use for rainbow tables within an organization as a II. TMTO AND RAINBOW TABLES means of enhancing network security. To understand how rainbow tables work, we must first discuss Hellman’s Time-Memory Trade-Off (TMTO), which Keywords-Rainbow table; password crack; time-memory is the basis for how Rainbow Tables function. trade-off; network security; hash function; reduction function. A. Hellman’s Time-Memory Trade-Off (TMTO) Attack I. INTRODUCTION Assume f is a random function (permutation) f : f1; 2;:::;Ng ! f1; 2;:::;Ng such that f has a huge cycle A major issue facing network security teams of large covering all N values. Let f (x) = f(x)⊕i be a small tweak organizations is ensuring that organization members are ip compliant with network security procedures. Password com- of f(x); i = 1; 2; : : : ; t; t = (N). Hellman’s TMTO attack plexity is a basic but critical component of establishing a [1], [2], [3] consists of two phases: secure network. However, the process of keeping track of Pre-computation phase: members who have passwords that do not meet complexity For each of the t functions f , choose m random start requirements can be a challenging task depending on the p i circumstances. This was a recent problem of the large North points( SPs), where m = (N), and compute chains of American hospital discussed within this paper. Our network length t, store the m value pairs (end point, start point) in a security team is unable to mandate regular password changes table, i.e., each table contains m pairs of (EP, SP). Each (EP, because of the large, diverse population of close to 12,000 SP) pair represents a chain that renders t values. Because EP users. Many users in patient care never directly log in to a is the value after t iterations of fi with SP as start point. computer, only logging in to their applications, as well as Thus each table covers mt values. Memory-wise, each table many users rarely checking e-mail accounts. Additionally, takes m entries (blocks) of space. password complexity was not a requirement added until There are t functions of fi, therefore we build t tables. 2010. Since passwords are stored as hashes with a constant As we want cover entire space of O(N) values by all tables, length, it is impossible to easily determine from Active therefore we have mt × t = mt2 = N. Directory whether a password meets the complexity re- quirements, resulting in possibly thousands of noncompliant Because each table has m entries/blocks, there are t such passwords. tables. Therefore, the total memory used is M = m × t = mt. To address this issue, the idea was proposed to use Rain- bow Tables to identify which passwords were noncompliant. On-line phase: A Rainbow Table is an application of Hellman’s Time- j We try to compute fi (y) for every i = 1; : : : ; t and Memory Trade-Off (TMTO) attack. Being that it is an attack j = 1; : : : ; t until one of the end points is hit. Then we use method used for password cracking, it is typically used for the corresponding SP to find the predecessor x of y such illicit purposes, and very rarely utilized in an organizational that y = f(x). Therefore the number of operations is t2, it environment. In this scenario, it would allow the network represents the time complexity T = t2. security team to identify only those passwords that did not meet complexity requirements, and therefore a much smaller From pre-computation phase, we know that mt2 = N, subset of users would be required to change their passwords. then we have (mt2)2 = N 2, i.e., (mt2)2t2 = N 2. Because 978-1-5386-6154-3/18/$31.00 ©2018 IEEE 2018 IEEE 39th Sarnoff Symposium memory requirement M = mt2, time requirement T = t2. In the above assumption, we can define a reduction Therefore we have TM 2 = N 2. A common point on function R as XORing the left 64-bit of the hash value with the curve is M = T = N 2=3. It can be verified as the right 64-bit to get an output of 64-bit, that is in P space. N 2=3(N 2=3)2 = N 2=3N 4=3 = N 6=3 = N 2. We can give an example here: Let p1 = Z8&6dh$n, Therefore, Hellman’s TMTO attack needs memory M = its MD5 hash value h1 = MD5(p1) = N 2=3 and time T = N 2=3. It is a dramatic improvement for 9bef715e662cc300796c1cfefd4f8913 = 0 exhaustive search in which pre-computation , memory R(h ) = 9bef715e662cc300 ⊕ 796c1cfefd4f8913 = M = 0 T = N 1 , but time . It also does not require e2836da09b634a13 ! 62236d203b634a33 = b#m cJ3 = less memory than table/dictionary search in which pre- p . Note: for every byte generated by R(h ), we set the 7th computation = N, memory M = N, time T = 1. Therefore 2 1 bit (i.e., the most significant bit) to 0; furthermore, if both Hellman’s TMTO trades memory with time. 6th and 5th bit are 0, we set 5th bit to 1. B. Reduction Function C. Hash Function LM Why do we need reduction function? In order to build We also need to understand the hash functions that rainbow tables, we will have to create an iterative function Microsoft Windows uses to store user’s passwords. LM f, where f has its domain size equal to range size. But (LAN Manager) hash is an outdated password hashing for a real hash function H, there is a size discrepancy of method developed by Microsoft in cooperation with 3Com its domain and range spaces. Suppose the hash function H Corporation that is considered particularly weak. It uses the uses the Message Digest 5 algorithm (MD5), and further Data Encryption Standard (DES) encryption method and is suppose domain space is all possible passwords P with 8 no longer commonly used. characters the American Standard Code for Information In- terchange (ASCII) characters (suppose each ASCII character NTLM (NT LAN Manager) is the successor to LM and is encoded in 8 bits), and the range H is 128 bit hexadecimal is a suite of multiple authentication protocols, developed values. The domain size is 264 = 1:84 × 1019, but the range solely by Microsoft. Though it is not recommended as an size is 2128 = 3:40 × 1038. There is a huge difference. authentication protocol, it is still widely used to maintain compatibility for older systems and has been included in Kerberos, which is currently the Microsoft recommended authentication protocol. NTLMv2, which is the most com- mon NTLM protocol, uses the HMAC-MD5 authentication code. This code uses the MD5 hash algorithm, which is the algorithm that was used in the password cracking project described in this paper. Full text of the MD5 hash algorithm can be found in RFC1321 [4]. D. Rainbow Table A rainbow table [5] is a type of hash lookup table utilizing TMTO generated to reverse cryptographic hash functions as a means to crack password hashes. It differs from standard hash lookup tables as it requires more processing time per hash lookup, but uses much less storage. Standard hash tables, see Table I for an example, can grow to be very large as they are essentially a list of all Figure 1: Reduction function possible passwords in a key space and their corresponding hash. Rainbow tables approach this problem by constructing We need to define a reduction function R that maps chains that use alternating hash and reduction functions, see a 128-bit hash value in H back to a 64-bit value in P . Figure 2 for an example. In the chain, everything is then After that we can apply hash function H again to get thrown away except for the first input and the last hash. H(pi) R(hi) When performing a hash lookup, these chains are then the iteration going. It is pi −−−−! hi −−−! pi+1, see regenerated until the hash is found. This greatly improves Figure 1 for illustration. When put together, we define storage efficiency but more processing power becomes f(pi) = R(H(pi)), such f function has the same domain required to perform the hash lookup. and range spaces (both 68-bit). Therefore, we can iterate f from one password pi to generate next password pi+1, then apply f again to generate another password pi+2. In the Size comparison f f f equation, it is written as pi −! pi+1 −! pi+2 −! ::: Given A set of 10 MD5 rainbow tables that has 99.9% accuracy an initial password p1, we iterate f function t times to get for passwords that contain all alphanumeric characters and a (pt; p1) pair, it is a (EP, SP) pair stored in the table.