[ISN] Password-cracking chip causes security concerns

From: InfoSec News (alerts@private)
Date: Thu Oct 25 2007 - 03:06:37 PDT


http://technology.newscientist.com/article.ns?id=dn12825

By Andrew Brandt
NewScientist.com news service
24 October 2007

A technique for cracking computer passwords using inexpensive 
off-the-shelf computer graphics hardware is causing a stir in the 
computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US 
patent for the technique. It takes advantage of the "massively parallel 
processing" capabilities of a graphics processing unit (GPU) - the 
processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, 
Elcomsoft increased the speed of its password cracking by a factor of 
25, according to the company's CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows 
Vista computer, would normally take months of continuous computer 
processing time to crack using a computer's central processing unit 
(CPU). By harnessing a $150 GPU - less powerful than the nVidia 8800 
card - Elcomsoft says they can cracked in just three to five days. Less 
complex passwords can be retrieved in minutes, rather than hours or 
days.

It is the way a GPU processes data that provides the speed increase. 
NVidia spokesman Andrew Humber describes the process using the analogy 
of searching for words in a book. "A [normal computer processor] would 
read the book, starting at page 1 and finishing at page 500," he says. 
"A GPU would take the book, tear it into a 100,000 pieces, and read all 
of those pieces at the same time."

Benjamin Jun, of Cryptography Research based in San Francisco, US, says 
massively parallel processing is ideally suited to the task of breaking 
passwords. And, while concerned about the development, Jun also pays 
tribute to the achievement: "A number of us have been following advances 
in those platforms, and there's a lot of elegant, intelligent design."

Password cracking can be used to unlock data on a computer, but will not 
usually work on a banking or commercial website. This is because is 
takes too long to run through multiple passwords, and because a site 
will normally block a user after several failed attempts.

Jun adds that the trend towards encrypting whole hard drives with 
increasingly long cryptographic keys still means it is becoming more 
difficult to access sensitive data. "Should I throw away my web server 
and run for the hills?" he says. "I don't think so."

NVidia released a software development kit for its graphics hardware in 
February 2007. Known as CUDA, the kit lets programmers access the 
computing power of the GPU directly. It has gained a following among 
those with a need for high-performance computing, particularly in fields 
such as science and engineering.

"[CUDA] is a huge thing for the oil and gas industry, for the financial 
sector, and for scientists," Humber says. He adds that CUDA is also be 
being used by a company called Evolved Machines to simulate the way the 
human brain wires itself.

Elcomsoft says it took three months to develop code to take advantage of 
a GPU, and the company plans to introduce the feature into some of its 
password cracking products over time.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 25 2007 - 03:14:50 PDT