

#### The Next Generation of Cryptanalytic Hardware

The N David ercon ext lulton Generation <0x3 30th, ω ω tanalytic Hardware as com> ′egas, NV

FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on uncovering some of the underlying basics behind gate logic and shows how it can be used for performing extremely efficient cracking on FPGAs that runs hundreds of times faster than a PC.

#### David Hulton <dhulton@picocomputing.com>

Founder, Dachb0den Labs Chairman, ToorCon Information Security Conference Embedded Systems Engineer, Pico Computing, Inc.



#### Disclaimer

David Hulton <0x3133 The Next Generation etcon 13 -July 30th, of ହ ryptanalytic Hardware õ mail.com> as. Vegas, NV

- Educational purposes only
- Full disclosure
- I'm not a hardware guy





- What is an FPGA?
- Gate Logic
- Cracking \w Hardware
  - History
- Optimizations
  - Pipelines
  - Parallelism
- Chipper
  - Lanman/NTLM
  - Demo
  - Performance



## **Introduction to FPGAs**

Field Programmable Gate Array

- Lets you prototype IC's
- Code translates directly into circuit logic

David he ercon Next Generation Hulton 13 <0x3133 30th, of qVl tanalytic Hardware าลไ as l.com> /egas, NV



## What is Gate Logic?

#### The basic building blocks of any computing system





## What is Gate Logic?

David Hulton The Next Generation Defcon 13 -July 30th, 2005 <0x3133 of ହ ryptanalytic Hardware ğ mail.com> -as Vegas, NV







## What is Gate Logic?









Defcon 13 -

July 30th, 20

as.

Vegas, NV

## What is Gate Logic?





-as

Vegas, NV

## What is Gate Logic?





#### What is an FPGA?

David The Ν ext ulton G eneration <0x3 30th ω tanalytic Hardware a as com> regas, NV

- An FPGA is an array of configurable gates
  - Gates can be connected together arbitrarily
  - States can be configured
  - Common components are provided
  - Any type of logic can be created



## What is an FPGA?

egas, NV tic Hardware V

#### Configurable Logic Blocks (CLBs)

- Registers (flip flops) for fast data storage
- Logic Routing
- Input/Output Blocks (IOBs)
  - Basic pin logic (flip flops, muxs, etc)
- Block Ram
  - Internal memory for data storage
- Digial Clock Managers (DCMs)
  - Clock distribution
- Programmable Routing Matrix
  - Intelligently connects all components together





#### **FPGA Pros / Cons**

David The ercon Ζ ext 13 ulton G eneration <0x3 30th, ω 9 ω σ tanalytic Hardware a as .com> 'egas, NV

Pros

- Common Hardware Benefits
  - Massively parallel
  - Pipelineable
- Reprogrammable
  - Self-reconfiguration
- Cons
  - Size constraints / limitations
  - More difficult to code & debug



## **Introduction to FPGAs**

Davi The Ν е nera ۸ 0 on tanalytic Hardware S .com> regas, NV

- Common Applications
  - Encryption / decryption
  - AI / Neural networks
  - Digital signal processing (DSP)
  - Software radio
  - Image processing
  - Communications protocol decoding
  - Matlab / Simulink code acceleration
  - Etc.



## **Introduction to FPGAs**

David The Ν ext ulto eneration <0x3 ω tanalytic Hardware ิด as .com> ′egas, NV

- Common Applications
  - Encryption / decryption
  - AI / Neural networks
  - Digital signal processing (DSP)
  - Software radio
  - Image processing
  - Communications protocol decoding
  - Matlab / Simulink code acceleration
  - Etc.



## **Types of FPGAs**

David The ercon Ν ext ulton G eneration <0x3 30th ω tanalytic Hardware a as .com> /egas, NV

#### Antifuse

- Programmable only once
- Flash
  - Programmable many times
- SRAM
  - Programmable dynamically
  - Most common technology
  - Requires a loader (doesn't keep state after poweroff)



## **Types of FPGAs**

#### Xilinx

- Virtex-4
- Optional PowerPC Processor
- Altera
  - Stratix-II



## Verilog

- Hardware Description Language
- Simple C-like Syntax
- Like Go Easy to learn, difficult to master



The Next Generation of Cryptanalytic H David Hulton <0x31337@gmail.com> Defcon 13 - July 30th, 2005 - Las Vegas

.as Vegas, NV





# Verilog

The Next Generation of Cryptanalytic Hardware David Hulton <0x31337@gmail.com> Defcon 13 - July 30th, 2005 - Las Vegas, NV

| 8 bit AND |                                                                                                                  |
|-----------|------------------------------------------------------------------------------------------------------------------|
| ■ C       | <pre>u_char or(u_char a, u_char b) {     return(a &amp; b); }</pre>                                              |
| Verilog   | <pre>module or(a, b, c);<br/>input [7:0] a, b;<br/>output [7:0] c;<br/>assign c = a &amp; b;<br/>endmodule</pre> |
| Gate      | b(7:0)<br>a(7:0)<br>AND2                                                                                         |



# Verilog

The Next Generation of Cryptanalytic Hardware David Hulton <0x31337@gmail.com> Defcon 13 - July 30th, 2005 - Las Vegas, NV

| 8 bit Flip-Flop          |                                                                                                                                                            |
|--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>C</li> </ul>    | <pre>u_char or(u_char a) {     u_char t = a;     return(t); }</pre>                                                                                        |
| Verilog                  | <pre>module or(clk, a, c);<br/>input clk;<br/>input [7:0] a;<br/>output [7:0] c;<br/>reg [7:0] c;<br/>always @(posedge clk) c &lt;= a;<br/>endmodule</pre> |
| <ul> <li>Gate</li> </ul> |                                                                                                                                                            |



David The Ν ext ulto G eneration <0x3 ω tanalytic Hardware a S com> egas, NV

- Minimal Key Lengths for Symmetric Ciphers
  - Ronald L. Rivest (R in RSA)
  - Bruce Schneier (Blowfish, Twofish, etc)
  - Tsutomu Shimomura (Mitnick)
  - A bunch of other ad hoc cypherpunks



David Hulton <0x31337@gmail.com> Defcon 13 - July 30th, 2005 - Las Vega: The Next Generation of Cryptanalytic Hardware ₋as Vegas, NV

| Budget       | Tool       | 40-bits    | 56-bits    | Recom |
|--------------|------------|------------|------------|-------|
| Pedestrian   | Hacker     |            |            |       |
| Tiny         | Computers  | 1 week     | infeasible | 45    |
| \$400        | FPGA       | 5 hours    | 38 years   | 50    |
| Small Com    | oany       |            |            |       |
| \$10K        | FPGA       | 12 min     | 556 days   | 55    |
| Corporate I  | Department |            |            |       |
| \$300K       | FPGA       | 24 sec     | 19 days    | 60    |
|              | ASIC       | 0.18 sec   | 3 hrs      |       |
| Big Compa    |            |            |            |       |
| \$10M        | FPGA       | 0.7 sec    | 13 hrs     | 70    |
|              | ASIC       | 0.005 sec  | 6 min      |       |
| Intelligence | Agency     |            |            |       |
| \$300M       | ASIC       | 0.0002 sec | 12 sec     | 75    |
|              |            |            |            |       |



- 40-bit SSL is crackable by almost anyone
- 56-bit DES is crackable by companies
- Scared yet?

#### This paper was published in 1996



1998

- The Electronic Frontier Foundation (EFF)
- Cracked DES in < 3 days</li>
- Searched ~9,000,000,000 keys/second
- Cost < \$250,000</p>



- 2001
  - Richard Clayton & Mike Bond (University of Cambridge)
  - Cracked DES on IBM ATMs
  - Able to export all the DES and 3DES keys in ~ 20 minutes
  - Cost < \$1,000 using an FPGA evaluation board</p>



- 2002
  - Rouvroy Gael, Standaert Francois-Xavier and others from the UCL Crypto Group
  - Implemented a linear cryptanalysis attack on DES
  - Used FPGAs to generate dictionary tables
  - Chosen-plaintext attack can recover key in 10 seconds with 72% success rate



Da The Ν to е e a 0 La na S com lytic Hardware 'egas, NV

#### 2004

- Philip Leong, Chinese University of Hong Kong
- IDEA
  - 50Mb/sec on a P4 vs. 5,247Mb/sec on Pilchard
- RC4
  - Cracked RC4 keys 58x faster than a P4
  - Parallelized 96 times on a FPGA
  - Cracks 40-bit keys in 50 hours
  - Cost < \$1,000 using a RAM FPGA (Pilchard)</li>



#### **Massively Parallel Example**

David Hulton <0x31337@g The Next Generation Defcon 13 -July 30th, 2005 of ryptanalytic Hardware mail.com> as Vegas, NV

PC (32 \* ~ 7 clock cycles ?) @ 3.0Ghz for(i = 0; i < 32; i++) c[i] = a[i] \* b[i];

Hardware (1 clock cycle) @ 300Mhz



## **Massively Parallel Example**

David he Defcon 13 -Ν lext lulton Generation July 30th, <0x313 q ω dگل mail tanalytic Hardware as. .com> Vegas, NV

#### PC

- Speed scales with # of instructions & clock speed
- Hardware
  - Speed scales with FPGA's:
    - Size
    - Clock Speed



-as

Vegas, NV

#### **Pipeline Example**





#### **Pipeline Example**

David he etcon 13 -Ν ext ulton G eneration July 30th, <0x3 Q tanalytic Hardware a as com> Vegas, NV

#### PC

- Speed scales with # of instructions & clock speed
- Hardware
  - Speed scales with FPGA's:
    - Size
    - Clock speed
    - Slowest operation in the pipeline



## **Self-Reconfiguration Example**

The Next Generation of Cryptanalytic H David Hulton <0x31337@gmail.com> Defcon 13 -July 30th, 2005 ryptanalytic Hardware -as Vegas, NV

PC

data = MultiplyArrays(a, b); RC4(key, data, len); m = MD5(data, len);

Hardware



### **Self-Reconfiguration Example**

The Next Generation of Cryptanalytic H David Hulton <0x31337@gmail.com> Defcon 13 -July 30th, 2005 ryptanalytic Hardware -as Vegas, NV

PC

data = MultiplyArrays(a, b); RC4(key, data, len); m = MD5(data, len);

Hardware

Copyright Pico Computing & Dachb0den Labs 2005



### **Self-Reconfiguration Example**

The Next Generation of Cryptanalytic H David Hulton <0x31337@gmail.com> Defcon 13 -July 30th, 2005 ryptanalytic Hardware -as Vegas, NV

PC

data = MultiplyArrays(a, b); RC4(key, data, len); m = MD5(data, len);

Hardware

Copyright Pico Computing & Dachb0den Labs 2005



### Special Components - DSP48s

David The ercon Ν Hulton ext Generation 13 July <0x31337@g 30th, of ryp mail.com> tanalytic Hardware as. Vegas, NV

#### DSP48

- Configurable
- 18x18-bit Multiplier
- 48+48-bit Adder
- Input/Output Registers
- 18x18 Multiplies @ 500MHz
- Virtex-4 LX25 comes with 48



### Special Components – BlockRAM

David The Defcon 13 -Next Generation Hulton <0x31337@g July 30th, of 0 ryp mail.com> tanalytic Hardware -as Vegas, NV

#### BlockRAM

- Stores up to 18Kb
- From 1 to 36 bits
- Dual-port
- FIFO Support
- Virtex-4 LX25 comes with 72



### Special Components – APU

Davi The Ν ext ulto eneratio ۸ 0 tanalytic Hardware S com> egas, NV

- Auxiliary Processing Unit (APU)
  - PowerPC allows you to implement custom instructions
  - Have access to all of the registers
  - Single instruction from processor triggers your logic
  - e.g. Single instruction DES



# Chipper

David The efcon 13 -Next Generation Hulton July 30th, <0x3133 of ହ ryp ã mail.com> tanalytic Hardware as. Vegas, NV

- Currently Supports
  - Unix DES
  - Windows Lanman
  - Windows NTLM (full-support coming soon)
  - Multiple Cards/FPGAs ;-)



#### Lanman Hashes

David The ercon Ν ext ulton G eneration <0x3 30th tanalytic Hardware as com> 'egas, NV

#### Lanman

- 14-Character Passwords
- Case insensitive (converted to upper case)
- Split into 2 7-byte keys
- Used as key to encrypt static values with DES





# Chipper

Dav е ra na mo ytic Hardware egas, NV

#### Hardware Design

- Pipeline design
- Internal cracking engine
  - passwords = Imcrack(hashes, options);
- Interface over PCMCIA
- Can specify cracking options
  - Bits to search
    - e.g. Search 55-bits (instead of 56)
  - Offset to start search
    - e.g. First card gets offset 0, second card gets offset 2\*\*55
  - Typeable/printable characters
  - Alpha-numeric
  - Allows for basic distributed cracking & resume functionality



# Chipper

Dav The e ne a  $\circ$ na mo ytic Hardware egas, NV

- Software Design Thanks Arachne!!
  - GUI and Console Interfaces
  - WxWidgets
    - Windows
    - Linux
    - MacOS X (coming soon)
  - Supports cracking 128 keys in parallel on each card
  - Supports 4x fast mode for just one hash pair
  - Can automatically load required FPGA image
  - Supports multiple card clusters



### **Password File Cracker**







### Lanman Cracking

PC (3.0Ghz P4 \w rainbowcrack)

- ~ 2,000,000 c/s
- Hardware (Low end FPGA \w Chipper)
  - 125Mhz = 125,000,000 c/s per core
  - 500Mhz = 500,000,000 c/s for fast mode!

| Туре | P4    | E-12 | 8 E-12 |
|------|-------|------|--------|
|      | 25 D  | 2 H  | 18 M   |
|      | 3.4 D | 20 M | 1.5 M  |
|      | 4.7 H | 1 M  | 9 S    |



### Pico E-12

David The ercon Ν ext ulton eneration <0x3 30th ω tanalytic Hardware as .com> /egas, NV

#### Pico E-12

- Compact Flash Type-II Form Factor
- Virtex-4 (LX25 or FX12)
  - 1 Million Gates (~25,000 CLBs)
  - Optional 450 MHz PowerPC Processor
- 128 MB PC-133 RAM
- 64 MB Flash ROM
- Gigabit Ethernet
- JTAG Debugging Port





### **PicoCrack Demonstration**

### Demonstration

Copyright Pico Computing & Dachb0den Labs 2005



# **OpenCiphers.org**

David he ercon Ν ext G lulton eneration <0x3133 30th, 9 ହ ryp Q mail tanalytic Hardware as. I.com> Vegas, NV

- Sourceforge project
  - Chipper
  - Lanman & NTLM cracking cores
  - Modular Exponentiation
  - A5/2 (for some GSM research)



### **Technology Trends**

Da е ra  $\bigcirc$ na egas, NV m tic Hardware

### Technology Trends

- Embedded platforms are either cheap and slow or expensive and fast
- There will always be a cost factor with regards to crypto
- This has plagued smart cards, speedpasses, mobile devices, etc.
- The future is definitely implementing more advanced cryptanalysis attacks
- As cheap chips get faster, the workload for bruteforce increases exponentially with the keysize
- Elegance will be the next generation



#### **Hardware Trends**

Dav The e ne a  $\circ$ na com ytic Hardware egas, NV

- FPGAs are increasing according to Moore's Law
  - Different factors though
    - Density Increasing
    - Clock Speed Increasing
    - Components Created and expanded to fit markets
    - Cost Dropping
  - Slowly starting to compete with ASICs
  - Future Applications:
    - Neural Networks
    - Attacks on WEP/WPA/GSM
    - Analysis and Correlation



#### Feedback?

- What do you think?
- Possible Applications?
- Questions?



### **Conclusions / Shameful Plugs**

The Next Generation
David Hulton <0x313 efcon 13 -July <0x3133 30th, of @ ryp ğ mail.com> tanalytic Hardware as. Vegas, NV

- ToorCon 7
  - End of September, 2005
  - San Diego, CA USA
  - http://www.toorcon.org
  - ShmooCon 2
    - February, 2006
    - San Diego, CA USA



# **Questions ? Suggestions ?**

David The etcon Ζ Hulton ext G eneration <0x31337 30th, of ඹ qV1 ğ mail.com> tanalytic Hardware as. Vegas, NV

### David Hulton

- h1kari@dachb0den.com
- OpenCiphers
  - http://www.openciphers.org
- OpenCores
  - http://www.opencores.org
- Xilinx
  - ISE Foundation (Free 60-day trial)
- Pico Computing, Inc.
  - http://www.picocomputing.com