Next Article in Journal
Entity Linking via Symmetrical Attention-Based Neural Network and Entity Structural Features
Previous Article in Journal
Isoperimetric Numbers of Randomly Perturbed Intersection Graphs
Article Menu
Issue 4 (April) cover image

Export Article

Open AccessArticle

Study on Massive-Scale Slow-Hash Recovery Using Unified Probabilistic Context-Free Grammar and Symmetrical Collaborative Prioritization with Parallel Machines

1,*,†, 1,†, 2,† and 2,†
1
College of Computer, National University of Defense Technology, Changsha 410073, China
2
VeriClouds Co., Seattle, WA 98105, USA
*
Author to whom correspondence should be addressed.
The authors contribute equally to this work and are co-first authors.
Symmetry 2019, 11(4), 450; https://doi.org/10.3390/sym11040450
Received: 23 February 2019 / Revised: 22 March 2019 / Accepted: 26 March 2019 / Published: 1 April 2019
  |  
PDF [3039 KB, uploaded 1 April 2019]
  |  

Abstract

Slow-hash algorithms are proposed to defend against traditional offline password recovery by making the hash function very slow to compute. In this paper, we study the problem of slow-hash recovery on a large scale. We attack the problem by proposing a novel concurrent model that guesses the target password hash by leveraging known passwords from a largest-ever password corpus. Previously proposed password-reused learning models are specifically designed for targeted online guessing for a single hash and thus cannot be efficiently parallelized for massive-scale offline recovery, which is demanded by modern hash-cracking tasks. In particular, because the size of a probabilistic context-free grammar (PCFG for short) model is non-trivial and keeping track of the next most probable password to guess across all global accounts is difficult, we choose clever data structures and only expand transformations as needed to make the attack computationally tractable. Our adoption of max-min heap, which globally ranks weak accounts for both expanding and guessing according to unified PCFGs and allows for concurrent global ranking, significantly increases the hashes can be recovered within limited time. For example, 59.1% accounts in one of our target password list can be found in our source corpus, allowing our solution to recover 20.1% accounts within one week at an average speed of 7200 non-identical passwords cracked per hour, compared to previous solutions such as oclHashcat (using default configuration), which cracks at an average speed of 28 and needs months to recover the same number of accounts with equal computing resources (thus are infeasible for a real-world attacker who would maximize the gain against the cracking cost). This implies an underestimated threat to slow-hash protected password dumps. Our method provides organizations with a better model of offline attackers and helps them better decide the hashing costs of slow-hash algorithms and detect potential vulnerable credentials before hackers do. View Full-Text
Keywords: data security; distributed computing; probabilistic context-free grammar; slow hash data security; distributed computing; probabilistic context-free grammar; slow hash
Figures

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).
SciFeed

Share & Cite This Article

MDPI and ACS Style

Wu, T.; Yang, Y.; Wang, C.; Wang, R. Study on Massive-Scale Slow-Hash Recovery Using Unified Probabilistic Context-Free Grammar and Symmetrical Collaborative Prioritization with Parallel Machines. Symmetry 2019, 11, 450.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics

1

Comments

[Return to top]
Symmetry EISSN 2073-8994 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top