Amazon EC2 Enables Cheap Brute-Force Attacks

snydeq writes "German white-hat hacker Thomas Roth claims he can crack WPA-PSK-protected networks in six minutes using Amazon EC2 compute power — an attack that would cost him $1.68. The key? Amazon's new cluster GPU instances. 'GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD,' Roth explained. GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

That's silly.

[DWMorse]

"what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

The same role that Ford Motor Company is responsible to fill in preventing the use of it's vehicles as Getaway cars from scenes of crimes.

Re:That's silly.

[Applekid]

"what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

The same role that Ford Motor Company is responsible to fill in preventing the use of it's vehicles as Getaway cars from scenes of crimes.

Eh, more like the same role that a chauffeur is responsible to fill in preventing the use of it's driven vehicles as getaway cars from scenes of crimes.

After all, once Ford makes a car they're done, right? EC2 is continually crunching numbers until it's cracked.

Re:That's silly.

This would be like Ford giving road-side assistance during a heist.

No, it's like Jared Loughner taking a taxi to the site of his shooting spree:

http://www.nytimes.com/2011/01/11/us/11taxi.html?partner=rss&emc=rss

The taxi driver is just providing his usual service at his usual price and has no indication that a crime is going to be committed.

Similarly, Amazon knows you're doing a lot of heavy computation, but that is one of the reasons someone would use Amazon EC2.

Re:That's silly.

[Bert64]

There are perfectly legal reasons for cracking encryption...

Data recovery (eg forgotten passwords)
Security auditing
Crypto development (ie stress testing)

Re:That's silly.

[causality]

Why shouldn't Amazon do their part?

Because if it's a question of whether a crime has been committed, we already have trained professionals who specialize in dealing with this exact scenario: we call them police. They have restrictions on when and how they can gather evidence for some really, really good reasons. Amazon doesn't belong in the law enforcement business.

Shouldn't companies try and protect the environment they do business in? Companies have higher obligations than to just make money.

They should protect the environment in which they do business when they engage in activities that could ruin that environment for others. A factory that causes pollution of a river that affects everyone downstream is a good example.

Granted, I doubt there is anything they could do, much as there's nothing Ford can do to stop their cars being used in heists. But if they can, they should.

There's only one thing they can do. They can place everyone who does business with them under suspicion. They can closely monitor every single activity performed by their customers. If anything remotely looks like it might be related to cracking a password, they can assume it must be an illegal activity and not merely someone's recovery of their own data or security research and notify the authorities accordingly. Is that what you want?

It would accomplish three things. First, it would mean that Amazon takes on some or all of the investigative responsibility that rightly belongs to police, only without the restrictions that are wisely applied to police. I'm sure you'd waive all rights to privacy as part of the agreement attached to using the service and of course you'd trust them to never abuse this privilege. Any cost associated with all of this monitoring would of course be passed on to the customer. Second, it would result in many reports submitted to police that turn out to be legitimate, legal activity, with the cost passed on to the taxpayer. Third, it will make the real criminals respond by either using false credentials (like stolen IDs) or by using other forms of distributed computation, such as botnets, thus raising the profit other criminals make by operating such botnets.

Like most feel-good measures it would make little or no difference to the real criminals while causing more surveillance, inconvenience, and cost to the average user. It would also erode the concept of a presumption of innocence. All of that, just to avoid telling people that if you really need it to be secure, use sufficiently strong encryption with a sufficiently strong key.

The whole problem with the USA is that half of our laws are like this. I see why you'd find it a logical extension of the way we already do things, but I think that's because you haven't seriously examined the way we already do things.

Re:That's silly.

[spazdor]

because BadAnalogyGuy isn't here at the moment to show us all how it's done?

Wonder how safe longer keys are...

[mlts]

I wonder with the ways that WPA2-PSK is being eroded, if one should just go with 30+ character long keys. TrueCrypt always recommends to go with 20+ character passphrases and since there isn't much key strengthening with WPA2-PSK, a longer key is a good thing here. My preference is to use a 63 number of letters and digits, and if it gets forgotten, just generate another string and paste it into the router from a machine on the wired network.

Re:Wonder how safe longer keys are...

[Carnivorous+Vulgaris]

Charecter set ^ password length = permutations.
You're right with exponential growth.

Just remember that if your password has password dictionary fragments, including all common substitutions, then the length is the number of fragments, not the number of characters.

Re:Wonder how safe longer keys are...

[ikkonoishi]

I hear that Chuck Norris just uses his name as the key. When anyone tries to crack it their computer catches fire.

Re:Wonder how safe longer keys are...

This link has the actual test http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

Which looks like a single dual fermi EC2 instance gets 250M hashes/sec which is crazy. So assuming you have a 100 instance cluster of them:
40 bits of random : 43 s (~ 8 chars)
45 bits of random: 23 mins (~9 chars)
50 bits of random: 12 hours (~10 chars)
64 bits of random: 23 years (~13 chars)

Better start using pwgen 14 for your passwords.. For WPA-PSK I actually use this:

$ python
>>> import base64
>>> base64.encodestring(file("/dev/urandom").read(128/8));
'HZE6Ka6GeO3OT23ay2G0Ww==\n'

Which isn't going to be reversed without breaking sha1.

Wikileaks

[Sub+Zero+992]

Amazon provide infrastructure services. They need not, should not, must not know or seek to know how these services are used.
Oh wait, Wikileaks...

Re:Wikileaks

[TheCarp]

You forgot one.... cannot.

Firstly, they can't, reasonably audit all code going into the system by hand. This leaves some sort of automated code check, or monitoring the workloads in some way. Simple size of the workload doesn't help, that could be anything.

You could watch for library calls to hash functions but, they are easy enough to implement and get around that.

Even if you could detect the fact that I am hashing strings over and over again, you still wouldn't know why I was doing it. Am I researching hash functions? Am I processing bitcoin transactions (probably not an economical use), am I strength checking my own password? A groups passwords?

Hell I worked as an admin at another job. I was called into another admin's office one day to be shown a jumble of characters on his white board.... in the middle of them was my password. He had been tasked with strength checking all of our passwords.I was surprised that he got mine, but, in thinking about it later, it was close enough to being based on a couple of dictionary words that it wasn't very good.

None?

[kju]

They should not take any steps in this direction. We should have learned that. it. just. don't. work. Brute-forcing a hash is not illegal anyway. If the customer of amazon decides to misuse the result, than this is not the responsibility of Amazon. Many services and tools can be abused for crime.

Easy answer

[betterunixthanunix]

what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

No role whatsoever; let law enforcement agencies handle criminal investigations.

Well I Can Answer the Last Question

[BJ_Covert_Action]

Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

None whatsoever. Amazon and other service providers are retailers. They are not a police force. If a crime is being committed, let the designated authorities (i.e. cops) investigate it, police it, and arrest the criminal. No business should ever be involved in policing anything. That's a role specially held for the executive branch of governments.

Re:Offensive

Probably because grandfathers tend not to be bitches.

Re:Offensive

[h4rr4r]

How come you never age?

If you are going to troll like this try aging your character.

20-character

[Lord+Ender]

It's actually 20 random characters that are recommended for use as cryptographic keys. The reason for this is that 20 random keys from the US keyboard has the same number of possible combinations as 128 random bits. If you use anything less than 20 random characters, even if you use a 128-bit encryption algorithm, you won't have 128-bit encryption. The same is true if you use 20 non-random characters. A brute-force attack would try passwords with words or phrases before going for the really random stuff, so you again don't have 128bit encryption.

Also fun to realize: for every character less than 20, you lose 100x your security. A 19-character password could be cracked in just 1% of the time of a 20-character password. A 10-character password would take .000000000000000001% of the time.

Re:20-character

[Lord+Ender]

Welcome to the world of cryptography, kiddo! "Random" is a fun word. Here's an example of some random numbers: http://www.dilbert.com/fast/2001-10-25/

Need more? http://www.amazon.com/Million-Random-Digits-Normal-Deviates/dp/0833030477/ref=cm_cr_pr_product_top

For the purposes of cryptography, though, random (obviously) means 'unpredictable.' Or, more specifically, it means it is impossible to write program which generates passwords devised using your scheme without going through, on average, half the keyspace per attempt.

So remember that when you're talking crypt, use the crypto definition of the term. Then you (hopefully) won't make embarrassing comments like that again.

Re:Why use EC2?

[natehoy]

"In the same amount of time" is the biggie. They are talking about using short timeslices of hundreds of computers. The article mentions using 400 GPUs (but isn't very clear on whether 400 GPUs for 20 minutes is what costs $1.68). If that's true, then decoding it with a single GPU would take about 5 1/2 days, assuming you had the same class of hardware Amazon is using.

Not earth-shattering amounts of time, true, but if speed is of the essence you probably don't want to wait the better part of a week.

What role should they take? None, maybe?

[Opportunist]

I would expect Amazon to cooperate with the law enforcement should they discover that their service was abused to commit a crime. But why should they required to "avoid" it? And most of all, how? The only way to really keep people from using that service for criminal means would be to explicitly disallow certain uses and then monitor whether it is used this way. And that in turn raises a question: How? Because one of the core reasons this service is interesting is that it offers cheap calculation power. If you attach a metric ton of red tape and surveillance, it's most likely cheaper and faster to let your old Pentium do it.

Hands Off

[b4upoo]

Cloud services need to avoid any type of actions that create the illusion that they may be responsible for what users do. As long as they never have any editing of any uses of their product they will probably not be held liable by the courts. In a way it is like the truck driver that opens the trailer door and sees what he is delivering. As long as he does not know what is in the trailer the law will not charge him with transporting illegal or stolen items. Intent and knowledge are locked together. Don't look, don't see and don't know.

Re:That's not correct

[Carnivorous+Vulgaris]

Not always.

Access points use the SSID as the salt, and most APs use common default SSIDs.

This is wildly overstated as a risk

[igb]

The basic story is slightly hysterical. Firstly, WPA2 does use a multiple-iteration key derivation function. Secondly, even with the claimed performance, he can only "brute force" five or six characters, depending on the character set in use. It's enough performance to deal with dictionary words, because, indeed, it's a dictionary attack. But even at 400K password derivations per second (ie 400M SHA-1 hashes per second), eight random characters drawn from the 96 character printable ASCII repertoire are going to take 571 years to perform a brute force attack on, or an average time to success of 285 years. Don't like the odds? My home network uses 12 characters drawn from a 64 character set (ie base 64 encoding), which needs 374 million years (average 167 million) at that performance. Do I give a shit if that number gets reduced by a few orders of magnitude? Not really: I can always move to 15 characters...

Re:This is wildly overstated as a risk

[Mysteray]

The great majority of passwords don't have anywhere close to the entropy of "eight random characters drawn from the 96 character printable ASCII repertoire". Probably a great many passwords can be successfully guessed in a reasonable amount of time at 400K trials per second.

here are the results from the last Defcon 18 contest.

Depends on Who You Ask

[carrier+lost]

...should Amazon and other public-cloud service providers [be liable for] customers [...] using their services to commit crimes?

• MPAA/RIAA - If it aids in file-sharing, then Amazon should be charged $6M for each infringement
• Washington - If it aids in leaking US data, then Amazon should be "extraordinarily rendered"
• Wall Street - If aids the banks in looting the world's economies, then Amazon should get a $300M bonus.

Hope this helps...

Re:Why use EC2?

[volsung]

The assertion that high end Tesla cards (often $2k) are required for this crack is nonsense. In terms of integer, single precision floating point and memory bandwidth, a GTX 580 is actually FASTER than the most expensive Tesla card. Tesla cards have better QA for 24/7 usage, 4x faster double precision floating point, and 3 or 6 GB of memory, plus some other occasionally useful features. But anyone with an NVIDIA SLI gaming rig built in the last 2 years could easily have done what this guy did in less than 20 minutes.

Re:Offensive

[operagost]

Because human beings have two sexes, so we have to choose one?

The problem is not EC2

[gweihir]

The problem, as one of the referenced articles points out ans as has been known in the crypto-community for a long time, is fast key-derivation functions. Even the original UNIX password encryption function already took that into account and iterated the key derivation function to make attacks take longer. Typical methods used today for example iterate a second or so on the target CPU. This is a compromise between needing one second per unlock and requiring one second per brute-force attempt on an equivalent CPU. GPUs still make that attempt problemantic, but one application of SHA1 takes something like 0.1 microsecond on a modern CPU, so it should at least be iterated 10'000'000 times or so. Even with that, SHA1 is a bad choice, as it is too simple. Use something that requires a full-blown CPU to work and that a GPU cannot easily do. Of course, high-entropy passwords also help a lot by enlarging the search space.

But in essence, EC2 GPU instances can only break Crypto for cheap that was badly implemented anyways. That is not really a surprise. There are far too many people out there that do crypto without even understanding the attack possibility, let alone being cryptographers.

stop using non-random passwords

[madbavarian]

People need to stop using non-random passwords for WPA2-PSK. This attack sounds like a dictionary attack, because there is no way at only 400k passwords per second that he could map more than a minuscule fraction of the 2^256 key keyspace. We are talking 1e77 potential passwords. At 400k/sec that only amounts to 1e13 passwords per year. It will still take 1e64 years to break. Since the universe is only ~1.5e10 years old, I think we are safe enough from a true brute force attack.

Of course that assumes people do turn off WEP and WPA1 and all the WPA1 crap in WPA2 (like turning off TKIP and only allowing CCMP).