Security of Password Hashing in Cloud

Though the History of using password in computing can be traced back to as far as mid of last century little focus has been implied on how to securely store and retrieve password to authenticate and authorize services to the end users. In this paper the current security of various password hashing schemes that are in use today will be investigated through practical proof of concept-GPU based, password hash dump cracking using the power of cloud computing. We will be providing comparison on different password hashing cracking time using the cloud GPU power in AWS. The focus of this paper is to show the possible use of cloud computing in cracking hash dumps and the way to countermeasures them by using secure hashing algorithm and using complex passwords.


Introduction
The most common means of authentication scheme are password-based authentication system [1].An employee uses multiple passwords daily for all the applications and systems that he/she might be working on for the employer.Businesses spend a tremendous amount of money for not only storing these passwords but also for securing the storage of these passwords.Especially when organization deals with a huge number of customers; it's very hard for them to create, maintain and distribute these passwords across the network for authentication, authorization or accounting purposes.Thus, passwords based authentication system possesses many security problems into rather relatively secured existing infrastructures [2].To overcome the possible security concerns with storing and distributing the password across the network, the password is often run against the cryptographic hash function to get the equivalent digest of the When users try to login with the password, the input is calculated by the same hash function to compare with the digest of the same password that has been stored in the databases.One of the properties of the cryptographic hash function is its irreversible one-way function which means it's nearly impossible to get back the password from the digest itself.Then again, many of the commonly used hashing functions like MD5, SHA-1, etc. have been developed during the mid-nineties.One of the weaknesses of most widely used hash function MD5 is that the attacker can create two identical digests for two different inputs which in cryptography field is called Hash collision [3].In fact, the possibility of an adversary of finding the password from the hash dump is proportional to the amount of the work he/she puts in and the ability to predict the password characteristics distribution.Moreover, with the advent of the cloud computing and 8 new powerful Graphics Processing Unit (GPU), the attacker is now well equipped than ever to decipher the passwords from the hash at their will.Since last decades there has been significant development going on in the field of Graphics Processing Unit (GPU).The GPU is very suitable for performing parallel tasks as well as calculating floating point related problems.Modern GPU based, password cracking is ten times faster than Central Processing Unit (CPU) based password cracking [4].In our paper, we will be showing how an attacker can leverage existing cloud services to crack passwords from sample password hash dumps using the high-performance-based computing resources.We think our work is one of the few studies that have been done on the power of GPU computing using cloud computing services like Amazon web services and the sheer breadth of test that is performed.Our paper is structure in way that first few sections we will be providing the reader some background on all the possible password related attacks possible where in the middle section we set up our test environment in AWS with sample password hash file of different popular hash algorithm that are in use today to crack.In the end we compare the results and we retrieve of the cracking time from our test scenario.We then compare the test results and suggest the use of password generator script and other possible means of creating strong passwords for using online services.

Nature and Significance of the Problem
Due to the recent hacking and public disclosure of private information (User's passwords) from several big profile organizations like LinkedIn, E-harmony and Yahoo within last 5 years raises the serious questions of not only the security of the authentication systems in these high profile organizations but also the security aspects of their password storing techniques in their databases.
Hence, in this paper the work presented is to show how effective the GPU based, password cracking technique is against the hashing techniques and provides insight on why choosing strong, complex passwords along with slow computers hashing function will keep the attackers at bay while leveraging GPU Journal of Information Security processing power of the cloud computing resources.We believe our model can be applied to any form of online GPU/CPU resources and produce the similar results for identifying the strength of the password hash of any type.Previous work has been done usually based on single instances of computing resources, but we believe our environment provides the more up to date distributed power of GPU that is available currently in cloud.Here are the few terms that should help understand some of the acronyms better is shown in Table 1.

Related Work
Thompson in his paper has shown how GPU's can be used for usual computing task other than graphically intensive work [5] whereas Cook in his paper shown GPU's are good for solving cryptography related work too [6].In the beginning, it was hard to make any application that could take advantage of GPU's because of the lack of API's and supports.Now with the advent of CUDA, OpenCL platform, APIs for GPU's become widely available.Using GPU's performance on cryptographic computation has been under review by many researchers.Yang and his colleague have shown how GPU's can outperform high-performance CPUs in symmetric cryptographic computations [7].In Asymmetric encryption strength has also been reviewed by many researchers suing GPU's [8] [9] [10].
Hash functions like MD5 and Blowfish have also been tested with GPU processing power, outperforming the CPU's significantly [11] [12].Graphical Processing Unit or GPU is now lots used for general purpose computing or better known as GPGPU than rather using it as to drive graphics.
With the advent of CUDA and OpenCL framework researcher are putting the hash security to the test by exploiting the power of the GPU to crack them using parallel processing power.R. Zhang and his colleagues showed the method to crack MD5 hash using CUDA and reached the speed of 223 Mbps [13].Another researcher compared decryption software John, the Ripper against cracking software based on OpenCL and found 17-times faster speed [14].In other research, the authors implemented MD5 decryption methods using Tianhe-1A   using CUDA to reach calculation speeds up to 18 billion keys per seconds [15].
Oclhashcat happens to be the multiplatform world's fastest password cracker which is GPUGPG based open source free hash cracker with speeds of up to 8511 mc/s and 2722 mc/s for MD5 and SHA-1 hash respectively.In one study researcher, implemented MD5 decryption algorithm using GPU cluster and gain 100 times faster performance in comparison to CPU [16].Many of the researchers used open source cracker like Oclhashcat on GPU platforms like NVidia or AMD using CUDA or OpenCL.In our paper, we will also exploit GPU power that is on offered in the cloud to crack sample password hash dump using Oclhashcat.

What Is a Hash
The process of taking an arbitrary length input and converting it to a fixed-length output value by integrating through a cryptographic hash function is called hashing, and the output value is called the hash value as shown in Figure 1.The property of cryptographic hash functions is they are a one-way function, and there is no way of deducing the input value by reverting from the output hash value [17].
Because of its irreversible features, hashing is very useful for storing the password in the authentication server.This allows not only protecting customer's privacy but also allows the server to authenticate user's login information without storing the user's password.Let's say for example the cryptographic hash value of the word "parves" using MD5 algorithm is:

Different Hashing Algorithm
In the following table the function of a different hashing algorithm that is in use at large is shown (Figure 2).

Password Hash Cracking Techniques
Password hash cracking is a method of attacking dumped hash to find flaws in the underlying secured hash characteristics that we discussed in the previous section to find the message that computer to the same hash value.The attacker, once they get hold of the hash file by getting the unauthorized access to the network, usually copies the hashed password file and perform one of the following attacks.
• Exhaustive Attack: This attack involves trying every possible combination of characters within character sets.Since it looks for every possible combination, the success rate is 100% of finding the correct combination given the time, and the cost is out of consideration.Also, the most cryptographic system in use today uses very large space of time, making the exhaustive search impractical to perform against.The exhaustive attack is used in two of the following ways [20].Known-plaintext only attacks: In this attack, only the perpetrator knows the plaintext and ciphertext both.Then he tries to discover the key that encrypts the plaintext for example.

P. Kamal
Ciphertext-only attacks: The attacker only knows the ciphertext, and he tries to find the corresponding key or plaintext by going through every combination of the keys.
Password hashing crack technique is only possible in cipher text the only method as every hash function is a one-way function.However, with a single digit increase in password length makes the exhaustive search iteration increase exponentially, making the exhaustive search attack impractical for the attacker, especially when long and complex alphabetical characters are chosen [21].
• Dictionary Attack: A Dictionary attack is a very effective attack if the user uses some human-memorable password for their login credentials and the attacker tries a list of common words and expressions used in any language for example in English to find the password.Users tend to use common or simple passwords [22] across many platforms, so that can be easily recalled and if it's the case then performing dictionary attacks is highly successful.But some simple modification to those common words can make a dictionary attack highly unsuccessful too [13].
• Rainbow table Attack: Rainbow table Attacks involve looking up the precomputed hash tables and the corresponding key value to find any matching hash.This type of attack, though, has limited combination to look up for but when working within its constraints, it takes less time decrypting hashed password than those two other attacks mentioned earlier [23].

Characteristics of Strong Passwords
There are many characteristics that make a password easy to crack using exhaustive attacks.Some of the characteristics are: • Passwords are based on common dictionary words.
• Passwords are relatively short in length, making it possible to brute force attack easily.• Passwords have some sorts of the pattern which is easy to deduce.e.g.abc123, XYZ, 46824682 etc.
• Passwords have been repeating characters like abab11 or xy12x.People Use the passwords with repeating characters so that they can remember.
To better understand, let's show it more graphical way.The following pictures are some of the chosen passwords with a combination of characters, numbers, and symbols to check the strength of the passwords based on the characteristics of the characteristics above of strong passwords.
So, as we have seen even if all the passwords above eight characters were long, using memorable words like a watch or if using characters that come in sequences significantly makes the password strength very low while using random sequences of characters makes passwords relatively stronger.It's very hard to get real random numbers, and for humans, we are not well equipped to remember random numbers.In fact, a human can only remember random numbers up to 7 ± 2 characters [25].Having passwords with a random sequence of numbers with at least one capital letter, number, a Special character from large key space makes password very strong as shown in Figure 3.
Figure 3. Example of some of the weak and strong passwords [24].

P. Kamal
One of the methods used to check the strength of the password is based on the entropy.Entropy depends on the length of the passwords and the key space used.
Entropy can be calculated using the formula, log2(n) [26] where n represents the number of characters in key space.

CPU-Based versus GPU-Based Password Cracking Performance
The CPU has traditionally been used for general purpose computing.Usually, the CPU has limits on how many processing cores it can accommodate.To overcome these CPU's is hyper threading technology to compensate whereas the GPU has many more cores compared to its similarly priced CPU counterpart.
GPU also works as Single instruction, but Multiple Data computations or known as (SIMD) whereas CPU's work as Single Instruction, Single Data computations or known as (SISD).This makes GPU largely suited for password cracking.Part of the reason behind the GPU'S power over CPU is for the recent increase in GPU'S power in comparison with the CPU'S one.AS we know from Moore's law CPU'S power doubles once in 18 months, whereas GPU'S power is doubling four times at the same time [27].The difference between CPU'S and GPU'S can regard performance based on single precision floating point number is clearly shown in Figure 4.

Cloud Computing
Cloud computing is rapidly provisioned on demand configurable resources that can be shared with minimal management effort or service overhead [22].There moving their infrastructure to the cloud now.There are many public cloud companies like AWS, Rackspace, Google Cloud, Microsoft Azure provide (Figure 5).
Spinning up a virtual machine in the Amazon AWS with Intel Xeon-based G series computing along with NVidia's K520 (1536 cores) cost about $0.02 to $2.87 per hour making it very feasible for someone to run parallel GPU-based, password cracking on the password hash dump.In my paper I will demonstrate how effective is GPU based, password cracking using cloud platform.

Test Environment
Test Environment was set up to test the following characteristics: • To identify the characteristics of strong hashing algorithm as well as the passwords with the data gathered from the proof of concept-password hash cracking in the cloud.• To show the performance of the GPU on password hash cracking using cloud we will implement GPU based, hash cracking on cloud and we will compare this with CPU based cracking.
• Compare the analyzed data to compare the GPU based, and CPU based, password cracking performance as well as the effect of using secured password hashing algorithm on the cracking performance.Also analyze the reason behind the password hash cracking effectiveness based on password strength.

Data Collection
The data will be collected once the test is performed and the benchmark report, as well as the generated passwords, will be the source of the data which will later be analyzed.

Tools and Techniques
Multi-GPU based Oclhashcat on Amazon AWS EC2 on CUDA based NVIDIA Tesla GPU to crack sample password hash of MD5, SHA-256, and Bcrypt.

Hardware and Software Environment
The following hardware and software will be used in conducting my research.
The setup was done in AWS (Amazon Web Service) cloud.The exact software and Hardware details are in the table.The test will be conducted in cracking the password hash on both GPU and CPU instances (Machine).The specifications for both GPU Machines as shown in Table 2 and CPU machines are given in Table 3.

Testing Environment Diagram
The testing Environment of this research is shown (Figure 6).

Wordlist Selected
For the test, different filters and combination of uppercase letters, lowercase letters, digits, special characters will be used.The test will be done using the hybrid attack at first before applying brute force attacks where every combination of the characters will be tried.

Installing Oclhashcat
First, the installation of the oclhashcat multi-GPU based, hash cracker with the following steps after ssh into our cloud Linux machine on both CPU and GPU test machine (Figure 7).

Sample Password Hashed Dump File
To conduct the test some common password up to 8 characters in length characters' length and will hash it with MD5 and SHA1 as well as more cryptographically strong hashing algorithm bcrypt.The following sample password hash has been selected.Here the bcrypt hash of sample password "Pass" was created with 14 rounds (2 14 = 16,384) of generation via gensalt() function.For the sake of our test, we will be keeping it to minimal, less than 10 (Figure 9).

Test Results
We ran the CPU crack and GPU cracking on the sample MD5, SHA-256, and Bcrypt hash dump.We applied the different filter as follows:  In Figure 10 as the result is as follows: • Using uppercase only character (u) it takes 2sec for 6-character long password, HELLO to crack where 8-character long password "MYSECRET" takes 12 mins and it finishes checking all the combination of 8 characters roughly at the same time too.
• Using lowercase only character (l) it takes 12 min to crack 8-character long password "mysecret" as well as finishes checking all the combination of 8 characters roughly at the same time too.
• Using a combination of uppercase and lowercase character (ul) it takes 1 hour 12 min to finish cracking 8 char long "Password" as well as finishes checking all the combination of 8 characters roughly in the same time too.
• Using lowercase and digits (ld) it takes 3 mins to crack 7 char long "tes1234" password while it takes 2 hours 30 mins to finish checking all the combination of the 8-char field.
• Using lowercase and a special character (ls) it takes it takes 1hours 13 min to find the 7-char password "Passwor!"while it will take approximately 5 days and 1hours to finish checking all the combination.• At last we try all the lowercase, uppercase, special characters and digits (usld) for all the 8 filed of the password and though we could not find out 8 char long password "You9can!"we did find to estimate how long it will take to look up all the (USLD) combination of each 8-char filed with our CPU machine with the following calculation.
Total characters: lowercase (26) and special characters (33), uppercase (26) and digits (10)    • Using lowercase and a special character (ls) it takes it takes 2 min to find the 7-char password "Passwor!"while it will take approximately 2hours to finish checking all the combination.• Using the special characters only it takes 7 sec to finish cracking 8 char long password "./?!';<>" while it takes 1 min 28 sec to finish checking all the special character combination of the 8char field.
• At last, we try all the lowercase, uppercase, special characters and digits (usld) for all the 8 field of the password and for the 8-char long password (./?!';<>, MYSECRET, You9can!).We could not finish the all the combination of 8 chars, but we estimated it will take around 4 days to finish checking all the possible combination of 8-char password using our GPU machine.The way we estimated the cracking time as follows: Total characters: lowercase (26) and special characters (33), uppercase (26) and digits (10)  In Figure 12 the result is as follows: • Using a combination of uppercase and lowercase character (ul) it takes 3 hours to finish cracking 8 char long "Password" as well as finishes checking all the combination of 8 characters will take estimated 7 days 20 hours to finish.The way we estimated the cracking time as follows: Total characters: lowercase (26), uppercase (26) = 26 + 26 = 52 Total combination possible [52] 8 = 5.3459729e+13 SHA-256 CPU cracking speed, 88,954 KH/s = 88,954,000 h/s Cracking time in days = 5.3459729e+13/88,954,000 = 600981.726864s/3600 = 166.939368573hours/24 = 7 days • Using lowercase and digits (ld) it takes 15 mins to crack 7 char long "tes1234" password while it takes 9 hours 25 mins to finish checking all the combination of the 8-char field.
• Using lowercase and special character (ls) it takes it takes 15 min to find the 7-char password "Passwor!"while it will take 7 hours 50 mins to check 7 chars field.
• Using the special characters only it takes 20 min to finish cracking 8 char long passwords "./?!';<>" while it takes 9 hours to finish checking all the special character combination of 8 char field.

P. Kamal
• At last we try all the lowercase, uppercase, special characters and digits (usld) for all the 8 field of the password and though we could not find out 8 char long password "You9can!"we did find to estimate how long it will take to look up all the (USLD) combination of each 7 char and 8-char filed with our CPU machine with following calculation.Time Estimation for 7-char password Total characters: lowercase (26) and special characters (33), uppercase (26) and digits (10)  • Using lowercase only character (l) it takes 1 min to crack 8-character long password "mysecret" as well as finishes checking all the combination of 8 characters roughly in 1 min 6 secs.
• Using a combination of uppercase and lowercase character (ul) it takes 1 min to finish cracking 8 char long "Password" as well as finishes checking all the combination of 8 characters roughly in 2 hours 87 min.
• Using lowercase and digits (ld) it takes 1min to crack 7 char long "tes1234" password and 1 min 22 sec for 8-char password "mysecret", while it takes 10 mins to finish checking all the combination of the 8-char field.
• Using lowercase and special character (ls) it takes it takes 8 mins to find the 7-char password "Passwor!"while it will take approximately 8hours to finish checking all the combination.• Using the special characters only it takes 2 min to finish cracking 8 char long password "./?!';<>" while it takes 5 min to finish checking all the special character combination of 8 char field.
• At last we try all the lowercase, uppercase, special characters and digits (usld).
It took around 3 hours to finish checking 7 char length passwords while for all the 8 field of the password and for the 8-char long password (./?!';<>, MYSECRET, You9can!).Though we could not finish 8 char passwords, but we estimated it will take around 10 days and 10 hours to finish checking all the combination of the 8 char field.The estimated time is calculated as follows: In Figure 14 the result is as follows: • Using uppercase only character (u) it takes 21 min to go through all combinations of 3 char length, whereas it takes 8 hours to finish 4 char long.
• Using uppercase and lowercase (ul) it takes 2 hours 21 min to finish 3 char length passwords.We could not finish cracking 4 char length passwords "Pass" as we estimated it will take 3 dys 17 hours to finish checking all the combination.The estimation is calculated as follows: Time Estimation for 4-char password Total characters: lowercase (26), uppercase ( 26 • Using only digits (d) it takes 9 min to crack 4 char passwords "1234" as well as roughly going through all the combination of 4-char field.
• Using only special characters(s) it takes 36 mins to finish checking all the combination of 3 char length password whereas it found 4 char length passwords ",/?<(" in 3 hours while taking 4 hours to go through all the combina-P.Kamal tion of the 4-char length password. • At last we try all the lowercase, uppercase, special characters and digits (usld).It takes 15 hours 4 mins to finish going through all the combination of the 3-char length.We could not finish checking for our 4-char length password "1!Su" as we estimated it will take 10 days 10 hours to check all the possible combinations using following formulas: Time Estimation for 4-char password Total characters: lowercase (26), uppercase (26), Special characters (33), digits  • At last we try all the lowercase, uppercase, special characters and digits (usld).It takes 2 hours 40 mins to finish going through all the combination of the 3-char length.We could not finish checking for our 4-char length password "1!Su" as we estimated it will take 1-day 19 hours to check all the possible combinations using following formulas.

Experimental Run
• MD5 GPU with 1st character set as uppercase (U) and last character set as special characters(s) while all other character is combination of lowercase (l), uppercase (u), special character(s), digits (d) takes only 2 mins to finish whole 8-character set.
• MD5 GPU with last character fixed as special characters(s) and trying all other combination (lowercase (l), uppercase (u), special character(s), digits (d)) in first 7 character takes only 8 hours to finish.
• MD5 GPU trying all first 7 char as lowercase (l) and special character(s) whole last character fixed as special character(s) makes the cracking time of 8-character set to only 1 min.
• SHA-256 GPU machine cracking 8 characters with combination of lowercase (l), uppercase (u), special character(s), digits (d) in 2nd to 7th character while making the 1st character fixed for special characters(s) and 8th character P. Kamal Journal of Information Security fixed for uppercase (u) brings the cracking time to only 6 mins while just making the 1st character fixed for uppercase(s) letters makes the cracking time around 10 hours.

Analyzing Result
• Using CPU instances with the combination of characters like uppercase, lowercase, special characters and digits a password length of 8 using MD5 hash takes 246 days to decrypt while using GPU it takes only 3 days.
• Similarly, the same password length using more secured SHA-256 hashing algorithm takes 863 days for our CPU machine to crack where with our GPU its only 10 days.
• Using more secured and computationally intensive Bcrypt hashing algorithm a password length of 4 characters only with a combination of characters like uppercase, lowercase, special characters and digits it takes our CPU instances 84 days to crack whereas with our GPU only 12 days.
• GPU instancing took only 5 min to crack SHA-256 password length of 8 with special characters only, whereas it took almost 3 hours to crack password length of 4 with Bcrypt hashing algorithm.

Recommendations
• Use password random generator to make a strong Radom password.One such sample random password generator script is given in Figure 16.• Never reuse the same password for different accounts.
• As a security administrator or developer tries to use a modern hashing algorithm like Bcrypt which is slow in computing using GPU or CPU.
• Never store password without hashing.
• Always add salt to the hashed password for added security.
• Password length should be at least 10 characters in length and use combination of characters like uppercase, lowercase, special characters and digits and never use dictionary words.
• Avoid using words from dictionary which can be easily brute-force by dictionary attack.

Future Work
In the future, possible plan to test whether adding salt (random number) with MD5 and SHA-256 increase the cracking time it takes with GPU or not.Also, in this paper the effect of fixed certain character types in the password field with Bcrypt hashing algorithm like SHA-256 and MD5 hash was not tested.So, in the future endeavor test run with Bcrypt and compare results with SHA-256 and MD5.

Conclusion
In the end the aim of the paper was to compare the effectiveness of a GPU based, password cracking over the CPU as well the weakness in contemporary password hashing algorithm used (SHA-256, MD5) in today and why one should use a modern hashing algorithm like Bcrypt over SHA-256 and MD5 and why should use more complex passwords.We also came into conclusion that using salt with a hashed password adds more computational cost to crack even with highly capable GPU.We also presented a test bed scenario where a normal user can leverage the power of cloud computing to crack relatively complex password relatively easily.
SHA1 hash of the generated password from the above is generated by the following code (Figure8).•MD5 Hash: of the following password with the following code.Journal of Information Security

Table
. Definition of terms.