Cloud-based crack of SHA-1 passwords is a taste of things to come

Reports that a German hacker has successfully cracked a secure hashing algorithm (SHA-1) password using a pay-as-you-use cloud computing based parallel processing environment is worrying.

“It’s worrying because, as Thomas Roth says, it’s easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe,” said Chris Burchett, CTO of Credant Technologies.

Although renting processing time on a cloud resource like Amazon Web Services could get relatively expensive at this level, there is the added dimension of cybercriminals using stolen payment card credentials to fund their cloud cracking escapades, which means they will not be bothered about the cost involved.

Burchett went on to say that the incident has parallels with other online password and hash cracking websites including the revelation of almost 12 months ago when security researcher Moxie Marlinspike revealed he had created an online Wi-Fi password cracking service called, appropriately enough, WPAcracker.com.

At the time, some experts were calling Marlinspike’s service a cloud-based resource, but whilst the $17.00-a-time service can reportedly crack a Wi-Fi password in around 20 minutes – a process that would take a dual-core PC around 120 hours – it is a highly specific cracking application with relatively finite processing power.

Using Amazon Web Services to crack a 160-bit SHA-1-hashed password, however, extends the hacker ballgame into a whole new cloud computing dimension, since it allows hackers to run custom cracking code that would normally take several months on a multi-core supercomputer – a platform that, of course, cybercriminals would not normally have access to, the Credant CTO explained.

Roth’s exploit, says Burchett, is significant, as he claims to have cracked all the hashes from an SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes – and at a cost of just over one pound.

Up to now, we’ve been in the realm of a more limited use crack sites, but the concern is that the practically limitless compute resources for relatively low cost available in the cloud can make attacks that previously were proof of concept an everyday reality. You can be sure that cybercriminals will be passing reports of Roth’s exploits on to their black hat hackers and asking them to repeat the methodology in other applications.

“It has to be remembered that SHA-1, although it is being phased out, still forms part of several widely-deployed security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols to mention but a few,” he added.

“At the moment, we are talking about a limited application, but it doesn’t take a genius to work out the ramifications of Mr Roth’s research project.”