This is a post from Craig, an online security and data recovery specialist at UKFast.
Recently, I have been looking at utilizing Graphics Processing Units (GPUs) to brute force hashes (encrypted passwords). This started just using my standard GPU, which is a NVidia GT220, not high-spec in the least and only costs £30 to buy.
The MD5 Algorithm is a commonly used cryptographic hash function that produces a 128-Bit hash value. With the NVidia GT220 I was able to brute force MD5 hashes at a rate of 158 million passwords per second. Pretty impressive I thought, until I read some stats stating a top spec AMD Radeon HD 6990 could run at a rate of 10.3 BILLION per second! Cue phone call to our good friends at Scan Computers who loaned us the card for some real testing.
So, card in hand, the first issue, it’s huge! I couldn’t actually fit it in my computer case. So after looking at a few options I opted for taking the computer out of the case and running it as a test rig without my “restrictive” case…
With the card installed and drivers and latest software running Catalyst Software Suite 11.9, I first tried one of my previously tested algorithms using a scripted application to maintain exact values. Monitoring via the CSS, activity went up and sat at 84%. The temperature however rose to 86… 87… 88 degrees. My warning threshold was 90 degrees which was mildly concerning.
The card has a huge heat sink but, with this processing, heat became more of a concern for me. To cool it down we attached 3 additional fans to the system: 2 x 4” extracting heat from the card and 1 x blower from a 1U server to blow cold air across the card. I was then able to maintain an 80 – 86 degrees temp for each core, which is a lot more acceptable.
GPU activity was still sitting at 84% and I wanted to max this out so we needed to tweak the settings to get the most out of it. Eventually after a lot of testing (and crashing), I found an optimum setup which was stable and utilizing 99% of the GPU (you must remember to duplicate settings across both cores). My target was 10.3B p/s. I was now hitting 11.5B p/s -an unexpected (but pleasant) result!
At this processing speed, if I was to decrypt an MD5 hash of a 6 character password it would take 1 minute 3 seconds to exhaust the whole (735,091,890,625) available key space. That’s if we searched every visible symbol available on the keyboard (95 characters – lower and UPPER case alpha, numeric, and symbols).
If the password was 8 characters, the time would increase to 6 days 15 hours which makes brute forcing slightly more unfeasible to the average hacker looking to expose weakness “for the lulz”. However, if there was a little more organisation and finances committed to brute force cracking you can multiply GPU’s and utilize all cores at the same time. From internet research this does not appear to carry much overhead and I have seen systems boasting an MD5 cracking rate of 45.5B p/s (4 x AMD HD 6990’s) which would crack an 8 character password within 1 day, 15 hours – a bit more feasible…
I also tested passwords of between 6 and 12 characters utilizing different character lengths e.g. 69 (lower alpha, numeric, and characters) and 36 (lower alpha and numeric). Times vary from less than 1 second to over 13 years!
A final thought on MD5 is how long would it take me to decrypt a credit card number? 16 character numeric only? Well for me, the answer is 10 days. If I had 4 of these GPUs at my disposal it would take 2.5 days max to exhaust the key space and considering your MasterCard and VISA number start with 4 or 5 I expect even less time than that, maybe even half the time.
So, are you still prepared to use MD5 to encrypt your customer data?