 So welcome everybody, it's my pleasure to announce the next speaker and talk speaker is David Holton he's specialized in Crypto cracking using FPGA's he has already given talks at the CCC events About the a 51 attack and it's the organizer of the tour camp and tour con in the US Please give a warm welcome to David Holton The state is yours. All right All right, thanks a lot Okay, so I'm here today to talk to all of you about legacy crypto and more specifically DES and This may be a little annoying for a lot of you in that All of us thought that DES was dead back in the late 90s like nobody's gonna use this anymore But it turns out that does is actually used in lots of different protocols that are still used today So did anybody see the talk you gave in 2012 with moxie Marlin spike on cracking MS chap v2 Okay, good. So a few people, but I'm just gonna do a quick overview of this because it's kind of part of The background for this talk so MS chap v2 is basically a way of doing mutual authentication using a password and It's used in primarily pbtp VPNs and WPA enterprise and so if you connected to the wireless network here using you know using them in password you were using MS chap v2 which relies on DES and Another thing is that the research that we did is nothing new Actually, Bruce Schneyer and Mudge and David Wagner published a very similar attack back in the late 90s And so this attack was known about for you know Almost 13 years up to the point that we that we presented a practical way of exploiting it And so people knew for you know over a dozen years that state actors well-funded organizations could Basically break any of these protocols that they relied on MS chap v2 and Just as a quick overview of how MS chap v2 works You have you know, hello You get a random server challenge the client generates a challenge and then that's kind of a hash together to create your challenge hash But the the important part here is that you have this challenge hash, which is your known plaintext It's actually sent across in the clear so both sides can can you verify the password and then? then basically use DES to encrypt this challenge hash with Essentially the NT hash of the person's password Which is essentially the the password equivalent and then that creates a challenge response it gets sent sent across and that's how you verify that the client has the correct password to authenticate to a service and Up until this point people had just tried attacking the user password because obviously You know common most of the time the password is the weakest link in most of these systems people choose horrible passwords and That's usually the you know the fastest way to attack this and so people would you know Do dictionary attacks and tried all the commonly used passwords in order to to try to break this and using programs like John the Ripper or sleep or There's a number of different ones that that rely on a word list But if you wanted to crack say, you know a 255 character Password with uppercase and special characters and everything you're looking at around 92 bits that you would have to brute force Which is you know would take a ridiculous amount of time Whereas by attacking the DES operations in this to crack the NT hash We're looking at you know on the order of around 2 to the 56 to the 57 sort of operations. So It you know wasn't till recently that this sort of attack was actually feasible to actually do an attack on DES and And so this was outlined in the late 90s and so we thought oh, why you know, it should be easy to do this I built, you know a couple of DES crackers using FPGAs so we thought let's let's try to actually make this a practical attack and so looking into this some more and One thing that you start to notice is that? Your NT hash is 128 bits and a DES key is 56 bits and so So actually this NT hash in these first two, you know is the fold to the 56 This one is only six a 16 bit key that's being used. It's just zero padded to be to be 56 bits and When you look certainly at the complexity. Yeah, it's you know to the 57 or so But because of that 16 bit key you can basically throw that away that you can do that with any sort of computer You could do it with an Arduino right and so so now we looked at attacking the first two keys which are the full to to the 56 and One thing to notice is that they're encrypting the exact same plain text between these two DES operations And so a naive implementation of this is that you crack both keys totally separately Where you know you go through the whole key space to try to crack one key and go through the whole key space to Crack the other one but one nice thing about them using the same plain text for both is that you can go through the key space just one time and Just have two compares after you do your DES operation to crack both of the keys And then on average you're going to be cracking both keys and around 70 percent of the key space So I mean you can do the math there, but it really comes down to around two of the 56 DES operations to break this And so, you know, we demonstrated that yeah, you know There's a slight optimization where you can do it in to the 56 instead of the two to the 57 point whatever that that Schneier and Mudge pointed out back in the 90s and The other big thing about our talk is that we made it accessible to everybody so everybody could perform this attack and And and so how we did this was Moxie Marlin spike already had this service called cloudcracker.com had anybody heard of cloudcracker It was somewhat popular in in 2012 and so We basically hooked up a bunch of FPGAs in the back end and tied it into cloudcracker.com and published this Python app that would extract All of the key material for cracking pptp VPN exchanges And then you could just submit a token to cloudcracker and then within 24 hours We would send you the DES key or the NT hash And so then you could use that NT hash to authenticate to the pptp network decrypt all the traffic You know, it basically do all the all the different sort of attacks that you would require a password to do And a lot of you may be thinking, you know, we gave this talk in 2012 You know the ff came out with a descracker in 99 or 98 and so Shouldn't des be super easy to crack at this point and So just a quick overview the the ff descracker in 1998 took around 9.2 days to go through the whole key space And we wanted to get this down to around 24 hours And so looking at all the available options out there If you use say aws ec2 CPU instances It would take around 80 000 cpu cores and cost you know in the order of a hundred thousand dollars or so To crack a deskey in that type sort of time period assuming that they had those instances available for you to spin up On gpu instances, uh, you know, it would be around 1800 gpu's and take around 20 000 dollars in ec2 credits to to crack a key And what we offered was 20 dollars to crack a key and it would you know return it back in around 24 hours And this was essentially a hardware that we were kind of like doing burnin testing on with my company Because we make fpga boards And so um, so we would just you know run them through the system to crack deskeys You know to to test them out before you ship them out the door to customers and then eventually A lot of this hardware kind of went end of life right now. It's a few generations behind And so now we can't we don't really sell them anymore so it ended up getting kind of migrated into my basement and uh And so now I have the server in my basement that cracks des and less than 24 hours And then you know, of course after you gave this talk in 2012 everybody rushed to fix everything, right? Right? I mean, of course everybody fixes everything, right? and so specifically one of the You know bigger vpn providers that we pointed out specifically in our talk iPredator and you know said oh, you know like these this this company has you know Many many customers and they're vulnerable to this Their fix was basically to just do a little post on their web page saying that They recommend that you don't do pbtp vpns, but you know, they still offered the service. So everybody kept on using it, of course, right? um And then and then also people kind of dismissed our attacks on wp enterprise in that everybody does strong certificate checking I'm sure all of you have installed the certificate For the the network for shot 2017, right? Can I guys see a show of hands of who actually installed the certificate for the network? Okay, so a few people that's good But you know in large enterprise environments Enforcing that across all of the different, you know clients and people that are bringing their own devices and connecting to the network Is very problematic and and in a lot of cases These operating systems don't do very good certificate checking So anyway, we we started running the service and Almost immediately I started seeing very interesting jobs pop up Just as an example here this top line is kind of a standard job, you know, everything's fairly random But then you look at this one and like the plain text is one one two two three three four four and that seems strange for You know, basically a random shot one of you know, a couple challenges So, you know, that seemed a little weird We're wondering what that was and then also we got these where both the cipher texts are exactly the same and so That you know, that's very crazy odds to end up with something like that And so we're like what are people using the service for? And and then we started seeing articles of people, you know Using our service for cracking wp enterprise, which is great And and then also this kind of popped up Has anybody here used the smb capture module of metasploit or a responder or anything like that to crack windows authentication Okay, well anyway So this is kind of the standard challenge string with windows authentication that if you're doing Windows authentication man in the middle attacks Most of these tools will just set this as the challenge And then there's already rainbow tables for attacking the password based on You know captures using this challenge and so I was like, oh, well People are obviously using our service for cracking passwords that they aren't able to crack with with these password based rainbow tables And and so people are obviously using the system for all sorts of other Purposes and what we were originally intending it for And then one day all the traffic kind of dropped off to my server And a cloud cracker went down mysteriously. I still have no idea what happened to it, but Since I run tour con I thought maybe we could offer this as a service of my conference And so we started this website called crack.sh Which is basically just a you know, pretty front end to the desk cracking service And it takes the exact same You know format as as the cloud cracker system did for for cracking these jobs And so um Then you know, I kind of took it by myself to look into what people were using this for and try to add more features to You know make it applicable to a lot more a lot more things So what features should we add and and the really the main point of all this research that we've been doing for You know six years now is how can we finally kill des once and for all and How can we get rid of this legacy algorithm that's been known to be you know insecure for 20 years now So looking into windows authentication for landman and ntlm v1 If you if you look at how how this works, it's actually very similar to ms chap v2 The only key difference is that your challenge is actually set entirely by the server instead of being hashed with a with a client challenge So um, and I think that this is technically ms chap v1 that that they're using for windows authentication And I I think that there's still probably other systems out there that use ms chap v1 In which um, you know this attack works works great And so um, so yeah, we saw people you're using this because um One of the things with using a rainbow table or using uh, you know Password-based dictionary attack is that you're attacking the password But with our service it works a hundred percent of the time no matter how complex the user's password is and so So yeah, I started talking to people that were doing pentests and they were saying. Oh, yeah, you know like uh They're we're trying to crack an account that um doesn't even have a password set or you know It's like a one of the computer generated accounts that has a randomly generated 255 character long password And they're actually able to crack the nt hash and then log in as that user that you aren't really supposed to be able to log in as And so um, this is this is very interesting in that um, a lot of people were thinking that their password security policies were really doing something But in this case, uh, it didn't really matter. Um, how how complex the passwords were And so um So we ended up adding in some support where you can basically copy and paste in from S&B capture directly into the website and then for $20, you know, you would send you the key And uh, and then you could log in as that user on the network And uh, and then also in in the meantime, uh, this program called responder came out, which is basically um a way of doing Windows authentication man in the middle and so Uh, if you fire up responder if it uh, it looks for any sort of net bios name resolution requests And then it basically just resolves them to the tacker server And then you can do downgrade attacks to downgrade them to landman or until mv1 Do the full um, you know miss chap v1 authentication and then um, the result is that you end up getting this This uh response value that then you can feed into john the ripper or feed into our website and crack the key based on that and so um So with a lot of networks, especially ones that have, you know, some older devices on them that require landman or until mv1 Um, you know, you fire this up on the network and you're going to be getting just millions and millions of You know devices responding to you that are just, you know Automatically trying to connect to different, you know, um file shares and authenticate on the network And uh, and then also with wpa to enterprise, uh, since then there's been, um, they've come out with host APD wpe, which is, uh, basically a host ap um Uh server that you can run on your device and then it essentially, uh, you know Fakes a base station people connect to it and then it gives you a nice hash that you can crack with john the ripper or feed Into our website and then um the resulting nt hash that you get from our server, um You can authenticate with to the network so now you can log into the to the you know enterprise network and um and do it Without even knowing the person's password because you have the hash of their password And then also um in the meantime, uh karstin nil gave a talk, uh back in 2013 about Cracking over their updates to sim cards. Um, so And most sim cards there's actually like a, you know full java virtual machine that um Supports all sorts of different things and uh currently, you know Your carrier can send remote updates to your phone and update your sim card firmware and then do all sorts of things Like you know listening to your phone calls or you know Scary things like that and so he demonstrated that a lot of these cards are actually secured with single des and um And basically, you know outlined how you could use a service like cloud cracker or crack.sh To crack these over their update keys and then um, you know installed All sorts of nasty malware into people's sim cards And and then also if anybody here watches mr. Robot, this was featured on mr. Robot in season two episode nine so We we also wanted to make it so that any sort of other weird protocols like um lots of uh Radio protocols use des still um lots of satellite protocols, etc Um, we want to make it so anybody could use a service to crack anything anything that uses des So we decided to create a general purpose interface where you just kind of provide Uh the parts of the plain text that you know and parts of the cipher text You know and you can um and then we basically Run it through the FPGAs and send you a list of all the possible keys that meet that criteria And then you can do further checking on it. Um later on with software And so we have you know, basically just a simple kind of uh, you know We do the des operation and then apply a mask and do a compare and all this is up on github if you want to um try to Crack something that you found And so after I put together this interface, I wanted to you know, just show create an example app for this and um so my friends had worked on uh some kerberos attacks and They'd mentioned that they'd come across a lot of networks that still Use our support doing des kerberos authentication And um and this was you know, this is stuff that was supported back. I think pre windows 2003 But a lot of networks still have legacy machines on them that require this to be enabled and so um So I thought oh, you know, this should be fun. I'll try to crack des kerberos And so, um, there's all sorts of uh different parts of the protocol that you can use to crack the des key and um But the the key part is you have to be able to get uh, you know A network capture of them actually authenticating and you know getting tickets and stuff like that using des And so I just put together a simple editor cap filter that substitutes Basically any supported encryption type with uh does cbc crc, so um So now, uh, you know man of middles, uh, you know a connection and then says oh, we only support des cbc The client connects the server and um, and now they're going to be you know Communicating just using des And then because the whole protocol uses asn1. There's all sorts of uh plain text that's basically fixed just as part of You know the headers in asn1 That pretty much are always there And uh and then because of how cbc works we can basically attack any block in the whole You know message that's encrypted with des uh to figure out the key So it's only a matter of you know looking through the asn1 and figuring out where it lines up with uh with static values to To figure out how to extract known plain text and your cipher text to create a token to submit to the website And um and the reason why this this works is basically because um with cbc It basically the part of the ciphered block chaining is that you have The cipher text of the previous block that gets x-word with your plain text And so both of those values are known and so then you can you know use that to crack basically any block within the chain So um also on github, uh, you can take this uh, you know python script and point it at a pcap file And uh if it's using des cbc It'll you know automatically figure out the known plain text and create a submission token that you can submit to the website And crack the the des key for it And then of course, you know this works no matter how complex a person's password is because we're actually attacking the underlying protocol And not the password And so um another interesting thing that came up is that I started receiving people asking uh People emails from people asking if I could crack uh des crypt and does anybody remember? Back when your you know password file had uh had a hash in it that Had you know a des crypt Password yeah, I mean like nowadays nothing supports it right and so why are these people trying to crack des crypt hashes right? um, and so I started looking around and um, I guess that des crypt was it's basically 25 rounds of des uh to hash the password And um, and then they add in some salt to mix it, you know mess up the s boxes to salt it But it was originally designed so that running on a pdp 11 It would take you know over a second to compute a password and so obviously it's a bit faster nowadays But nobody uses this anymore right? right So it turns out that cunyx, um You still uses uh des I think that they actually support two different types They either support des crypt or their own proprietary one that's fully reversible so des crypt is actually the most secure option that they support And um, I found this press release from them from two years ago saying that they're in 50 million vehicles And i'm sure that they're in way more. Um, basically a lot of infotainment systems use cunyx And so, um, if you look at a lot of these talks that people are giving on on car hacking For example, uh, this one right here is from the charlie miller g pack From from his white paper and there's the password file with the with the des crypt hash in it Um, this is another talk that I found that, uh, you know, they just showed the past the shadow file From a from cunyx, uh, you know system running in a in a vehicle somewhere And then you know searching around online, you just find all these forums of people asking people to crack their des crypt hashes So, um, so I was like, okay, maybe there's there's something to this And so I implemented, um You know an fpga core, uh and support for the service to crack these and uh, you know Just runs through the whole key whole entire key space So we can guarantee that it cracks the password 100 of the time And um, and this is basically, you know, all 90 95 possible characters including nulls and stuff so 96 to the power of eight And then times 25 rounds of des and so it takes around three days for for the system to brute force at all And so I thought oh, I'm just gonna you know own all the things. I'm gonna get all these cool passwords and um, so you know you can take any of these plug it into the system wait three days and uh You know, I'm definitely going to find some really secure passwords using this method, right? You may you may sense a recurring theme in this talk um So I even had a friend. I was like, okay, give me give me the best password file that you have and and uh, He's like, oh, I just like opened up, um Uh one of these on star systems. It's basically in every, you know Any every vehicle that has on star and I got the shadow file off of it. So here you go try to try cracking this I'm sure it's really tough And it turns out that it's just root The root password for on stars root Um So the the g pack it's dt donkey for this other one. It's like vui. It's all just lowercase Alpha, you know, like I could have just cracked this with john the ripper and you know in a day or whatever on it on my arduino, so I I'm very pissed off at this point. So if anybody here has any sort of These hashes that might be difficult to crack Please let me know because I wasted a lot of time implementing this To go through the whole key space and I really want it to work on something that's that's difficult to crack So that's kind of how I feel um, but anyway, so uh the api uh for for just cracking arbitrary does stuff is up online You can check it out on github and um And then you know, we basically send you a like a gzip text file with a list of all the keys So you can you can try all of those And uh the the real thing, you know, it's like we're trying to fix this somehow and um And so I like to use this one example of of ways to fix things and as far as security So does anybody here remember session hijacking being able to steal cookies? You know over unencrypted, uh, you know web sessions and stuff So does anybody here remember fire sheep the firefox plugin? Yeah, yeah, so that got a lot of press And so, you know, it we knew about session hijacking for a good half a decade and um, and all these services, you know Like uh, facebook and amazon and like all these major websites Uh, never fixed it. They were like, oh, it's not an issue. Uh, you know only these wily hackers know how to do this But then it took, uh, you know a couple people making a firefox plugin that made it So you go on any public wi-fi and you see a list of all the sessions out there You can just click on them and log into someone's facebook account. It took that for Suddenly, you know within a month or two facebook does, you know ssl across Everything, you know amazon does ssl across everything all these websites now are fully ssl secured and so, um So this is kind of like, uh, you know that essentially what our project is trying to do is, uh Slowly but surely make it easier for everybody to do this sort of attack In order to get this finally phased out And it seems like an impossible task to kill a legacy crypto algorithm, but that's kind of our goal at this point so So then we started asking ourselves like how do we actually motivate this change more than just having a service out there that costs $20 and um, the biggest problem with the service is that, you know, it's It's a you know system with 48 fpgas Costs a lot to power it and the biggest part is that we need to have some sort of form of rate limiting So that people don't abuse the service and so that's why we charge the $20 And um, and so we asked ourselves what if we could make the service free and So going down that rabbit hole We were like, okay. Well, so to make it free, uh, we have to make it fast enough So that you know, we don't have to care too much about rate limiting or you know, we can we can deal with it And uh, we have to make it so you know draws less power and a lot sort of stuff And so obvious solution is maybe we could make a rainbow table of this And um, the the main issue when you look at making rainbow tables, especially of this size is that it's a very large key space Just for reference like the largest off-crack table is Around two to the 52 and a half and you know, we were looking at doing two to the 56 Which is you know, about 10 times bigger than the largest password rainbow table out there And um, and then also one thing what does is that uh, you know, it's a block cipher So we have plain text that we have to take into the equation so um Our our base our design goal was to make it so that it was just for a specific plain text And so of course we chose the one one two two three three four four, which um, we could use to attack windows authentication And um, and then we also wanted to make it have a really high success rate because um, you know, we you wanted this to be a service that was very reliable and um And especially because we're doing cracking two desks, you know the lower the uh the success rate than the higher You know, um chance of us not being able to crack You know two keys and we only crack one and that then it's not really worth it So um, and then the other thing is we wanted to make it as fast as possible so it could be close to real time And uh, so, you know, it just becomes that much more easier for people to use So, um the hardware that I just had uh available Um, I was like, okay. Well, I could I could easily afford six terabytes of nvume drives because they're super fast and um, and then I could also borrow some uh, you know high-end FPGAs for my work So these are being borrowed for now And uh, you know, I can borrow a server and so, you know, it doesn't doesn't cost that much to put this together And so I came up with some parameters The chain length is around half a million links per chain And then, um, you know around, uh, 275 billion chains per table It's like, okay, we'll have three tables and then this will get us a crack time of under three seconds. That sounds great. Let's do that And so, uh, to then I had to generate the tables and so I managed to borrow some hardware Um, I managed to borrow like 48 FPGAs, um, they're pretty high-end and so it's like, whoo, let's get going here and uh, you know put together a design and used, um A bunch of techniques that we figured out with putting together the first does cracker. Um, one of the main ones is that with the large FPGAs uh, you end up having lots of routing issues and so Um, most of our designs nowadays just have a really really narrow bus that we use to connect all these different cores together And then, um, essentially placed and routed just for individual regions on the FPGA So each one of these squares over here are individual clock regions And then, um, then we just kind of chain them together in a way that we can, uh, you know just Essentially kind of create a ring, um For passing data between all the cores and then, uh, it makes it so we can clock it faster and, um and you know just uh make a Use some more of the FPGA and um, it's just a lot more efficient to do it that way. Um So anyway got the core going got the hardware started running it and Then of course there's hardware problems, you know anytime you deal with hardware, um You know running 48 FPGAs of these of this size in one system obviously Creates lots of uh overheating issues. So had to deal with that Also turns out turning on, you know, like over a hundred des cores in an instant Uh power supplies don't like that for some reason Um, you know just like immediately going from drawing two amps to drawing like 40 or 50 amps Lots of power supplies don't like that So we had to refactor a bunch of things, uh, you know fix a bunch of issues And eventually we got it fixed And um Finally got some tables back that we could check and unfortunately there is a really high collision rate. So then Uh, it basically meant that the tables that we spent, you know a few weeks building were unusable But we learned a lot of lessons and so Um came up with some new parameters basically because of the collisions we had to pare down Our ambitions a little bit. So we went to 12 tables instead of three and um And then that kind of increased our crack time to closer to 12 seconds Which is still still reasonable, I think so um Then more more issues, you know, like the hardware that we borrowed ended up having to actually go out to customers for some reason and so So we ended up having to return some and then um, you know, it's been a few more weeks generating tables And now we have our cracking system up. So this is uh, the system it has six FPGAs and these are the NVMe drives They're just like the tiny little m2 laptop ones and PCIe adapters and then Just to channel all of the air over to the FPGAs to keep them cool. I just put in some foam To channel the air. So it's um very very high end here And uh, and then it turned out that our coverage was better than expected right now we're at about 99.65 success rate and um, because Ideally we would have uh 12 FPGAs, but because we have six we do like the first half of the tables on six and then do the second half and so uh 92 of the time, it'll crack the key in under 12 seconds and then um And then you know, if it doesn't crack it then then it'll take another 12 seconds um And so for two keys our total success rate is still over 99 percent and um, you know Most of the time it'll take less than 24 seconds, which is pretty quick So anyway, um, it's free anybody can go to crack.sh and uh submit jobs and it'll Crack desk keys with this plain text, uh, you know within a matter of seconds So, uh, I thought I'd just do a quick demo. Um, so you guys can kind of see one of the practical applications of this. Um It might just be kind of useful since a lot of you it sounds like haven't used responder before So let's see here. Oh all right So I have a cali linux running on the left here for some reason my video is uh acting a little weird, but Yeah, I will okay So um, let's try firing up responder So now this is uh, you know on on the internal network between the windows host and and cali linux And this is the same as you know having You know laptop running cali linux just plugged into a corporate network And now whenever any machine that's running windows on the network, you know Goes to any file share or whatever. It's basically it doesn't matter what the file share's name is it's going to respond to basically everything on the network um Now so it just captured um, you know sent out that one one two two three three four four challenge and got response back here So now we can take this response and um Go over to crack.sh Just uh type an nt hash I'm pasted in here Oops, and now you know just type in your email address And uh, I didn't want to do this on the network for various reasons and so I kind of had this pre-canned But basically within You know most of the time within 24 seconds you'll receive the nt hash for that user in an email And we also have an api if you want to just automatically build this into responder or any of your tools So now um, this is essentially the password equivalent for for that user And then if we switch back over to here, you can do um something like smb client And tell it that we're going to give it the nt hash instead of the password Oh And then just paste in the nt hash and now you know we're on the on the system And um, and then also, uh, I assume some people here use metasploit or ps exec or okay, so um So there's also this cool feature in metasploit. You can also there's a bunch of different tools that do this, but um It's basically a way to get a shell on the system using Using an nt hash so you can um, you know, there's a bunch of different modules for doing stuff like this But um, I'm just going to show the ps exec module so So we're gonna Basically tell it to call back to us with uh shell and uh And then our samba password is just our hash here user client And uh, I tell it to exploit So now it's connecting uh, authenticating with the server Or with the you know the windows machine over here Using that that nt hash and then um, you can just say oh, I want to show them and now You know, I'm running as a system on there and um, you can do Basically any sort of commands um on the system As that user so then you can install backdoors or you know, whatever nefarious things you want to do So um, anyway, that's uh The quick demo of responder using this and uh, and yeah another just to Hammer this in a little bit more, you know, it doesn't matter how complex the user's password is doesn't matter Even if the user, you know set a password if it's, you know, a computer user or something like that This attack works for that 100 of the time within around 25 seconds So um So if we look at this in the scheme of morse law, you know We have the eff does cracker that came out in around 98 ish and uh, you know Took about 9.2 days to go through the whole key space and now fast forward about 13 bits in the future, you know 20 years We're looking at uh, you know in theory if morse law holds true For you know, if the eff did the same sort of thing today They'd be able to crack any deskey with any plain text and all that within around 97 seconds And you know, you could scale that obviously to well funded organizations and governments that have you know A few million to throw at this to get it done in a matter of, you know, uh, you know less than 10 seconds so um So I guess uh, you know With these legacy crypto algorithms, we're going to be seeing this more and more prevalent over, you know The next few decades of uh morse law catching up to these And uh, and then also another thing in the mix is that now, you know, especially with time memory trade-offs and rainbow tables You know with uh somewhere around 20 000 dollars. We're able to crack deskeys in 12 seconds, uh, especially with All this new Cool, you know nvme technology. There's other sorts of storage technology that's coming out That's just going to make these sorts of attacks even faster. Um So, um, so yeah, this is a really big issue. How do we get legacy crypto to be phased out? And we're trying this method right now and we'll see if it works. Um But uh, we really need help from everybody. So We have an api uh that you can use to integrate the service into any of your applications We'll probably be coming out with one that goes directly into responder that will just automatically, you know, reverse it to an nth Somebody already put together an airbot plugin so you can connect this to slack or irc If you want to submit jobs to the system over irc or something should be kind of funny And then uh, if you want to run it yourself, we put all the code uh up on github. It's all open source. Um, so uh, the this desert top is the actual software that um Kind of uh does all the lookups and run stuff, uh on the fpgas And then uh, this is actually the fpga project the desert t fpga and it's a vivato project that you can build for for any fpga um We also uh, thanks to the knock team and also uh yellowcation We managed to get a copy of the six terabytes of tables up on the network and um, and so if you go to Uh, either of these websites you can start downloading them And we're also trying to figure out the best way of getting it out to you know Be mirrored and torrented and all that sort of stuff So if anybody has any ideas or happens to run their own mirror for open source projects And can spare six terabytes or can leave this conference with six terabytes of drives Um come see me after the talk And um, and then obviously there's uh, you know, this all this stuff is built on uh the shoulders of giants So there's um tons of research that You know, it's kind of the precursor to all of this. Um, you know, I talked with moxie and marsh a while ago Ian foster you have a talk earlier today helped with some of the host a piece stuff that I was working on and um and then again special thanks to to protagonists in the knock and uh yellowcation for for helping get the stuff Online when I approached them basically yesterday afternoon and asked them if they could help me Get these tables up so people can download them So, um, anyway, uh, help me kill legacy crypto And if anybody wants to run free jobs once again, you know, this is just a method of Of you know, uh making sure the system isn't abused. So just email me if you have any interesting research ideas um everything's online and uh, and then also This whole thing is, you know, basically all the money that this generates goes directly toward running our tour account events And so our next tour con event that we have coming up is in san diego at the beginning of next month and um Then we also have uh, we also run the us hacker camp called tour camp and that's going on next summer. So Just as an extremely shameless plug for tour camp. It's a lot of fun We're out on one of the islands in washington and um There's people ring, you know pay phones and lasers and same stuff that you see here So if you want to come party with some of the american hackers, um, don't forget to Add that to your calendar. So thanks a lot for your time Thank you very much david and we have plenty of time for questions. The microphones are open If you have any question just queue in front of the mic crickets Okay, we have the first question Do you have any numbers on um, how long it takes? So the Expansive it is to round this on um easy to f1 Instances. Oh, yeah Yeah, so um, so yeah, there there's amazon f1 instances that came out recently and um And yeah, I was on their beta program and played around with it a little bit It looked like based on their pricing It would it would still cost like over a hundred dollars to crack a diskey like a hundred and ten or twenty dollars I think that's what I calculated. So um, so yeah, we're probably going to eventually migrate over to that But hopefully the pricing will be a little bit better Or maybe we could just add it as an option if somebody, you know, just wants to You know, we could provide an AMI or something if somebody just wants to pay it out of their pocket to to run it on there Cool. Thanks. Yeah More questions from the audience It seems like you've done dares pretty much as thoroughly as can be done So what's next? Well, so so I've done some research on On automotive like a mobilizer algorithms like high tag two and dst 40 and 80 and stuff like that And so I mean there's lots of low hanging fruit and that's sort of you know in the rfid crypto stuff Yeah, I mean basically anything less than 80 bits is probably something that that we could you know look into But yeah, it'll be a while before we can attack anything, you know much higher than that But if anybody has any ideas, please let me know So you basically already answered this one, but uh triple desk or double desk basically the to take keys That's way out of reach still right Yeah, yeah, um, I mean maybe once yes storage and uh, you know the Being able to do meet in the middle attacks and stuff like that is a lot more feasible than We'll be able to do that. But yeah for now. It's it's kind of uh I mean for for me like practical attacks are things that we could do, you know in under 24 hours um Because then if it takes longer than that then it's not really going to be you know that that useful to the most people And so I think it'll be a while before that's a reality, um but Yeah, for now for now a triple desk is safe for people like us at least Any more questions Okay, well, um, what if anybody wants to chat more about this or wants to help spread the tables then, um, please Come and see me after I'll probably be just right over here for now. So Thanks a lot. Yeah, thank you very much, david