Reports that a German hacker has successfully cracked a secure hashing algorithm (SHA-1) password using a pay-as-you-use cloud computing based parallel processing environment is very worrying. This is one of the first times that an SHA-1 encrypted password has been cracked using rentable cloud-based computation.
It’s worrying because, as Thomas Roth says, it’s easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe.
Although renting processing time on a cloud resource like Amazon Web Services could get relatively expensive at this level, there is the added dimension of cybercriminals using stolen payment card credentials to fund their cloud cracking escapades, which means they will not be bothered about the cost involved.
The incident has parallels with other online password and hash cracking websites including the revelation of almost 12 months ago when security researcher Moxie Marlinspike revealed he had created an online WiFi password cracking service called, appropriately enough, WPAcracker.com.
At the time, some experts were calling Marlinspike’s service a cloud-based resource, but whilst the $17.00-a-time service can reportedly crack a WiFi password in around 20 minutes – a process that would take a dual-core PC around 120 hours – it is a highly specific cracking application with relatively finite processing power.
Using Amazon Web Services to crack a 160-bit SHA-1-hashed password, however, extends the hacker ballgame into a whole new cloud computing dimension, since it allows hackers to run custom cracking code that would normally take several months on a multi-core supercomputer – a platform that, of course, cybercriminals would not normally have access to.
Roth’s exploit is significant as he claims to have cracked all the hashes from an SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes – and at a cost of just over one pound.
Up to now, we’ve been in the realm of a more limited use crack sites, but the concern is that the practically limitless compute resources for relatively low cost available in the cloud can make attacks that previously were proof of concept an everyday reality. You can be sure that cybercriminals will be passing reports of Roth’s exploits on to their black hat hackers and asking them to repeat the methodology in other applications.
It has to be remembered that SHA-1, although it is being phased out, still forms part of several widely-deployed security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols to mention but a few.
At the moment we are talking about a limited application, but it doesn’t take a genius to work out the ramifications of Mr Roth’s research project.