RACF KDFAES Implementation

1. [prev in list] [next in list] [prev in thread] [next in thread]
2.  
3. List: racf-l
4. Subject: Re: Statistics on KDFAES
5. From: Costin Enache <00000252c7734702-dmarc-request () LISTSERV ! UGA ! EDU>
6. Date: 2018-11-23 17:28:38
7. Message-ID: 1151329622.5148586.1542994118617 () mail ! yahoo ! com
8. [Download message RAW]
9.  
10. Stu, we have implemented KDFAES on GPU for our password analytics solution \
11. (shameless: EPAS), and I would say it is a fairly secure hashing scheme. I can \
12. provide the detailed algorithm upon request, but for your question I guess details \
13. below are enough:
14.  
15. The input for key derivation is:
16. - for passwords, the original DES (the pre-KDFAES) hash is calculated first; this \
17. permits one-way migration of old hashes
18. - for password phrases, the input phrase is hashed with SHA256; this means no \
19. migration for password phrases
20.  
21. The key derivation is using PBKDF2-SHA256, slightly modified. Two sets are done, each \
22. 8 * 5000 rounds, plus an extra set of 5000. In total there are 9 PBKDF2-SHA256, each \
23. with 5000 rounds, giving 85000 rounds. This is a lot. Of MIPS too :)
24.  
25. The key obtained is used to encrypt the username with AES, giving the final KDFAES \
26. hash. Cracking this type of hash is not something easily done. The key derivation is \
27. the time consuming part, the final AES is quite fast.
28.  
29. Some numbers for hash probing, all are using GPU acceleration with OpenCL, with \
30. 1xNvidia 1080 TI, based on hashcat: Original DES: 3909.8 MH/s (3937402282 hashes / \
31. second)
32. KDFAES: 29 kH/s (29943 hashes/second)
33. Our fastest experimental implementation does 690 kH/s (690223 hashes/second), and \
34. uses 10x Nvidia 2080 GPUs. This is still very slow and cannot be used alone to \
35. recover passwords.
36.  
37. Considering that KDFAES (as well as DES) RACF hashes are salted, the numbers above \
38. apply for each account. So if cracking a decent KDFAES hashed password takes 1 year, \
39. 30000 passwords would take 30000 years.
40.  
41. Cheers,
42. Costin
43.  
44.  
45.  
46.  
47.  
48. On Friday, 26 October 2018, 20:45:15 CEST, Stu Henderson <stu@STUHENDERSON.COM> \
49. wrote:
50. List, I'm hoping someone can provide actual numbers describing the
51. advantage of KDFAES over plain old AES (used by some other products).Â
52. For example, imagine a RACF database with say 30,000 users, all with
53. their passwords encrypted with KDFAES. And a hacker gets a copy of
54. this RACF database and runs one of the free password cracker programs.Â
55. (Imagine that John the Ripper is updated for KDFAES if it hasn't been
56. already.). Roughly how long would it take to learn all the userids and
57. passwords? Would it take weeks or months or years? Would it take
58. longer than the password change interval of say, 30 days?
59.  
60. And how would this compare to a security software database that
61. encrypted the passwords with ordinary AES, not with KDFAES? How much
62. longer would the hacker have to run the cracker program with KDFAES?
63.  
64. I'd be grateful for any sound theoretical answers, and more so for
65. actual test results. Thanks in advance. Stu
66.  
67.  
68. --
69. Next mainframe audit seminar November 5-8, 2018 in Bethesda Md; Next
70. RACF Administration seminar November 27-30 phone (301) 229-7187
71.  
72.  
73.  
74. [prev in list] [next in list] [prev in thread] [next in thread]
75.  
76. Configure | About | News | Add a list | Sponsored by KoreLogic