An In-Depth Look into Cryptographic Hashing Algorithms Jonathan Michael Krotkiewicz Advisor: Dr. Mike Biocchi April 1st, 2016 Abstract Cryptographic hash functions, namely Message Digest 5 and Secure Hash Algorithm 1 were published over two decades ago and are still in frequent practice as a password security measure. Since publication, associated weaknesses and vulnerabilities have been identified with each function. From an information security perspective, the algorithms on their own are considered broken and insecure respectively. The presented literature seeks to illustrate the degree of vulnerability associated with the credited algorithms through extensive research, relevant statistical data, and firsthand experimentation. Well known attack methods such as a dictionary and rainbow table attacks are undertaken against a set of MD5 and SHA-1 hash values in a real environment to extract significant data regarding time and space complexity. The data are used in comparison to approximated results of secure cryptographic hashing standards in practice today. Consequently, information to counteract such attack methods is discussed in detail to proactively prevent the likelihood of a successful data breach in a real system. ii Table of Contents Abstract ........................................................................................................................................................ ii List of Figures ............................................................................................................................................. iv List of Tables ............................................................................................................................................... v Chapter I Introduction ............................................................................................................................... 1 1.1 Problem Definition ............................................................................................................................ 1 1.2 Objective ............................................................................................................................................ 1 1.3 Thesis Overview ................................................................................................................................ 2 Chapter II History and Introduction of Cryptographic Hashing .......................................................... 3 2.1 Security Negligence ........................................................................................................................... 3 2.2 What is Cryptography? .................................................................................................................... 4 2.2 What is Hashing? .............................................................................................................................. 4 2.3 Encryption vs. Cryptographic Hashing .......................................................................................... 6 2.4 Checksums ......................................................................................................................................... 8 2.5 History and Introduction of Cryptographic Hashing Conclusions .............................................. 9 Chapter III Current Security .................................................................................................................. 10 3.1 Passwords......................................................................................................................................... 10 3.2 Cryptographic Hashing .................................................................................................................. 22 3.3 Methods to Compromise Cryptographic Hashes ......................................................................... 30 3.4 Effectively Securing Passwords ..................................................................................................... 46 3.5 A Few Results on Attacking Unsalted MD5 and SHA-1 Hashes ................................................ 54 3.6 Current Security Conclusions ........................................................................................................ 56 Chapter IV Future Authentication and Recent Developments ............................................................. 58 4.1 The Latest Cryptographic Hashing Algorithm ............................................................................ 58 4.2 Current Authentication Advancements ........................................................................................ 59 4.3 Project Abacus the Future of Authentication ............................................................................... 63 4.4 Conclusions on Future and Current Authentication ................................................................... 63 Chapter V Attack Method Implementations .......................................................................................... 65 5.1 Purpose............................................................................................................................................. 65 5.2 Technology ....................................................................................................................................... 65 5.3 Dictionary Attack Implementation ................................................................................................ 66 5.3.1 Dictionary Attack Results and Comparison .............................................................................. 69 iii 5.4 Rainbow Table Attack Implementation ........................................................................................ 71 5.4.1 Rainbow Table Attack Results and Comparison ...................................................................... 73 5.5 Brute Force Attack Implementation ............................................................................................. 75 5.5.1 Brute Force Attack Implementation Results ............................................................................. 76 5.6 Conclusions on Attack Method Implementations ........................................................................ 77 Chapter VI ................................................................................................................................................. 79 6.1 Conclusion ....................................................................................................................................... 79 6.2 Future Work .................................................................................................................................... 80 Glossary ..................................................................................................................................................... 81 Appendix A ................................................................................................................................................ 85 Appendix B ................................................................................................................................................ 86 Appendix C ................................................................................................................................................ 87 Appendix D ................................................................................................................................................ 88 Appendix E ................................................................................................................................................ 89 Appendix F ................................................................................................................................................ 90 Appendix G ................................................................................................................................................ 92 References .................................................................................................................................................. 93 iv List of Figures Figure 2-1. A high level illustration of hashing 5 Figure 2-2. An illustration of using a key for encryption 7 Figure 2-3. A high level illustration of encryption 7 Figure 2-4. An example of the hashing process 8 Figure 3-1. PsychoPass example 1 15 Figure 3-2. PsychoPass example 2 15 Figure 3-3. Number of participant’s passwords for various accounts 16 Figure 3-4. Frequency of users changing their passwords 16 Figure 3-5. Response on switching back to an old password 16 Figure 3-6. Response on users keeping the same password for multiple accounts 17 Figure 3-7. Sources of password inspiration that participants use 17 Figure 3-8. Factors considered by participants during password creation 17 Figure 3-9. Response of participants on new password creation 18 Figure 3-10. Participant’s password statistics chart 1 19 Figure 3-11. Participant’s password statistics chart 2 19 Figure 3-12. Ashley Madison user password character set use 20 Figure 3-13. High level illustration of cryptographic hashing 23 Figure 3-14. A high level hashing collision 25 Figure 3-15. Two MD5 message blocks hashed to the same value 26 Figure 3-16. The high level process of going from a plain text to a hash value…. 39 Figure 3-17. Hash chains 41 Figure 3-18. Collision in a rainbow table 44 Figure 3-19. A high level illustration of how a password is salted 47 Figure 4-1. A YubiKey 60 Figure 4-2. A Nymi