Cracking PGP In the Cloud

pariax writes "So you wanna build your own massively distributed password cracking infrastructure? Electric Alchemy has published a writeup detailing their experiences cracking PGP ZIP archives using brute force computing power provided by Amazon EC2 and a distributed password cracker from Elcomsoft."

Re:And tons of carbon enter the air

[slim]

I was under the impression that crypto like PGP was based on stuff which would (in theory) take millions of years to crack even with every machine on earth dedicated to it?

Yes, but the search space is significantly lower if you assume an password that's 1-8 latin alphanumeric characters, as this exercise did.

It's still 122 days on 10 VMs. One tenth of that on 100VMs.

Re:They should be discussing bits

[slim]

No, they've been approached by a client who's forgotten the password they used. The client's told them they used 1-8 alphanumerics in the password.

In this case, the mapping to a binary key is irrelevant to the size of the brute forcing task.

Re:And tons of carbon enter the air

[psp]

you'd need 28 characters chosen in a true random fashion (think scrabble tiles
pulled out of a hat) to actually achieve a strength of 128-bit, that matches a
128-bit crypto or hash algorithm.

Scrabble tiles would be an exceptionally bad choice.

Re:Pointless

[jim.hansson]

every hacker worth ther salt [has|knows how to download] precomputed rainbow tables for so easy things, and it does not

Re:And tons of carbon enter the air

[frozentier]

such passwords are OK for low-priority stuff but not, if say, the NSA is after you ;-)

If the NSA is after you, I would think the strength of your passwords is the least of your worries.

Not the way of doing it

[julesh]

I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.

Re:Not the way of doing it

[Slashdot+Parent]

Don't forget other cosets: cooling, system administration, datacenter space, backups, racks, switches, KVMs, UPSs, network administration, maintenance, etc.

No question EC2 is expensive if you plan on fully-utilizing that hardware. But that's why it's called the Elastic Compute Cloud, not the Static Compute Cloud. If your computational needs are static, EC2 is most definitely the wrong tool for the job.

Re:Bottom Line: Use Long, Unusual Passwords

[fbjon]

Take a look at the rainbow table you described. ASCII and length 256? That's 256^256, i.e. huge. Even if you restrict yourself to a modest subset of 70 characters (easily typable), and no more than 10 characters in length (too short in many cases), you need to store about 2.8 * 10^18 passwords. Just the MD5 hashes for a table like that would take up over 40000 petabyte.

Re:Pointless

[Fulcrum+of+Evil]

In most cases, a 9-char password is some 96 times (number of printable characters) harder than an 8-char password,

I'd believe 30 -40, but not 96. Most people are going to use letters and a small number of punctuation, and I'd wager that testing half of that will get you 90% of the possible choices. If it's just english words, I'll go with 16 as the multiplier, just given the info content of most english.