CSCI262

Fall 2013
Programming assignment 1
Date : 14/10/2013
Hacking Challenge-Response-based Password protocols using
Rainbow Tables
Last name First Name Student ID Signature

LEARNING OUTCOMES
1. Assess the vulnerability challenge-response authentication to MITM attacks
2. Understand how rainbow tables can be used to attack password hashes
3. Perform an offline attack on a challenge-response authentication protocol.
4. Design and tailor rainbow tables for password cracking using MD5.
5. Crack password given an MD5 hash made of a given challenge and rainbow tables.

This assignment is due at the beginning of your lab session of week seven.
Late submission is subject to penalties as specified by the subject outline.

Due date: beginning of the lab session of week 7.

1/14
 CSCI 203 programming assignment #1

Guidelines
This is your first major programming assignment. It is due in week 6, so you have an extra
week to do it.
 You should start working on it as soon as possible so that you have plenty of time to
perform all the required tasks.
 If you wait until the last minute to do so, you will hurry and most likely you will not
be able perform all the required even if you know how to do them.
 So, plan your work, and start early
In this assignment you will have to:
 Design algorithms
 Specify algorithms using pseudo-code
 Select appropriate data structures for your algorithms
 Code your algorithms in C++.

Outline

Section Page
Guidelines 2
I. The problem 3
II. More about the challenge-response protocol and rainbow tables 4
III. Marking of the assignment 12
IV. Input/output requirements for the algorithms 12
V. Submission of your work 13
VI. Hints 13
.

2/14
I. The problem:

Your task is to build a mini-hacking tool that can break some challenge-response-based
protocols using Rainbow tables. The method has been highlighted by Liu Fanbao 1
The basic idea of Liu is to use a Man-in-the-middle attack on a challenge response protocol.
Under normal conditions, the challenge protocol is as follows:
a) A legitimate user U contacts a host H to login.
b) Normally the host generate a random number and sends it as a challenge to the user.
c) The user receives the challenge, combines it with his/her password, applies a hash
function, and sends the results to the host.
d) The host performs the same operation, then checks the results of the hash oprations.
If there is equality, the user is authentified otherwise access is denied.
But the above protocol can be exploited by an attacker. The attacker will impersonate the
host, and sends to the user a crafted challenge, waits for the answer form the user, then using
the hash value sent by the user, tries cracking the user’s password using rainbow tables.

Your task is to build a tool that can help an attacker crack the user’s password. You will
assume that :
 You impersonated a host.
 You sent a challenge W to user U.
 User U computed R , the hash of his/her password combined with the challenge W.
 You have to use R as an input to your tool to crack the user’s password.

1
Fanbao Liu, Yasha Chen, Yuan Dong , A General Way to Break Hash-based Challenge-
and-Response, 2012 International Conference on Industrial Control and Electronics
Engineering

3/14
II. More about the challenge-response protocol and rainbow tables.
Before you can proceed, you need to understand two important concepts:
• How the challenge-based authentication works.
• What rainbow tables are? And How they work?
A. How the challenge-based authentication works.
A challenge-based response protocols are widely used to prevent the risk of replay in remote
authentication. The protocol can be described by the slide below form the lecture notes
(Chap2).

A simplified version of the above protocol is described by table (1)

User Host
When a user U wishes to connect to a host
H
U types in his/her login which is sent to H.
H replies by sending to U: a random string
C, and a hash function h.
User U uses his/her password P and H also computes R1= h(P,C)
computes R = h (P, C)
User U sends R to H H receives R
H compare R and R1
U is given access to H IF R=R1
U is denied access Otherwise
Table 1 A simple challenge-response authentication protocol.

4/14
Since the challenge C is randomly generated, this protocol prevents against replay attacks by
intruders. However this protocol is not fool-proof from other attacks. You will understand
why once you know what rainbow tables are.
B. Rainbow tables 2

In class you learned that there several means of authentication: something you kow,
something you have, something you are, and something you produce. Passwords ( something
you know ) is the oldest authentication methods and the most popular also. Nowadays,
systems that are based on password for authentication do not store the password in cleartext ,
but rather a hash value of the password. Hash functions are used because they are meant to
be one-way functions. For a hash function h:
• Given x, the value h(x)= y is very easy to compute
• But given h(x)=y, it is very difficult to find x. A hash must be very hard to reverse.

We are assuming that when you register as a user into a system the following actions take
palce:

i. You are provided with a login by the system

ii. You select a password
iii. The system checks that the selected password satisfies the password policy of the
system
iv. Then the system will store your login along with the hashed value of your password.

When you wish to use the system:

i. You enter your login/passwd

ii. The system hashes the password you entered and compares it the value storedin the
system password file.
iii. If they are equal you are given access otherwise access is denied..
This is what goes on in a safe and happy environment. But sadly the word is unsafe,
there are hackers out there. There wish is to be able to get to your password by reversing
the hash functions. This is where rainbow tables come in the picture.

2
http://lasec.epfl.ch/pub/lasec/doc/Oech03.pdf
Philippe Oechslin, Making a Faster Cryptanalytic Time-Memory Trade-Off
Laboratoire de Securite et de Cryptographie (LASEC),Ecole Polytechnique Federale de Lausanne, Faculte I&C,
1015 Lausanne, Switzerland

5/14
C. What are rainbow tables?

For more info: How rainbow tables work and Rainbow tables in Wikipedia.
The following section is a summary of the article “how rainbow tables work” by Kestas
Kuliukas.
Hash functions map plaintext to hashes so that you can't tell a plaintext from its hash (figure
1).

Figure 1 Mapping of Hash functions.

If you want to find a given plaintext for a certain hash there are two simple methods:
a) Hash each plaintext one by one, until you find the hash.
b) Hash each plaintext one by one, but store each generated hash in a sorted table so that you
can easily look the hash up later without generating the hashes again

The first method (a) requires a very long processing time; the second method (b) is not
feasible because storing hashes of all possible plain texts requires so much memory that it is
impossible to do for a realistic dataset of plaintext.

Rainbow tables are a compromise between pre-computation and low memory usage.Rainbow
tables use two functions: a hash function, and a reduction function. A hash function maps
plaintexts to hashes, the reduction function maps hashes to plaintexts.

Figure 2Hash vs. Reduction functions

Notice that the second function is named a reduction function and not an inverse function.
The reduction function maps hashes to plaintext, but does not give you necessarily the
original plaintext. This is illustrated in figure 2. You can see that the reduction function maps
hashes to plaintext but does not point to the original plaintext, but to a different plaintext

6/14
D. Practical Example :
Let us look at a practical case, and we will consider the MD5 hashing algorithm.
MD5 is a cryptographic hash function that given an input X produces a 128-bit (16-byte)
hash value Y. It is usually expressed as a hexadecimal number, 32 digits long.
Assume that all our passwords are numeric passwords of length six; that ia a password
correspond to [0123456789]{6} policy.
If X= 493823
Then Y is MD5("493823") ="222f00dc4b7f9131c89cff641d1a8c50".
How will we use the reduction function?
Remember that our passwords must be of length six; so our reduction function should work
with six numbers from the hash value Y we obtained "222f00dc4b7f9131c89cff641d1a8c50".
Let us pick the number 222004. We just adopted a rule that from the hash we will pick the
following digits ( counting 0 as the left-most digit and 31 as the right most digit):
Digit 31 2
Digit 30 2
Digit 29 2
Digit 27 0
Digit 26 0
Digit 23 4
Rainbow tables use chains, where a chain is a succession of hash/reduction functions that
start with an original plain text and end with certain hash value.
Another way of looking at it is that we proceed as follows:
hash reduction hash
password1  → hash(1)   → password 2  → hash(2)

hash(2)   → password 3 → hash(n − 2)   → passowrd (n − 1)  → hash(n )
reduction reduction hash
Kestas illustrates this chain with figure 3.

Figure 3 Chains used by rainbow tables.

7/14
E. Another illustration from Wikipedia (figure 4).

Figure 4rainbow chain with 3 reductions.

Storage of the rain bow tables:

The intermediate tables are not stored. The only tables that are stored are the initial table
(starting plaintext table) and the final hash table. Using these two tables we can regenerate the
other tables by using applying the has/reduce functions as long as needed.
Let us look at sample process of generating the rainbow tables:
Password
Hash 0 Password 1 Hash 1 Password 2 Hash 2
0
-
dccdecee 839310862 daecbecc cdbdaddb 1802158710
1003698034
cdeccaed -723447964 eebdbbcb 504323679 abdcecae -716915723
-
acbcaeec 1384205608 ceadeebd abbddcdc 1305042273
2138650808
eeeeaebd 537636003 bddcdaad 1446259833 cadaddbd 1629794057
- -
ccdccbeb ccedebbc 170163192 dacbacdc
1131047593 1862546954

The only tables that will be stored in the computer are column1 and column6.
Password 0 Hash 2
dccdecee 1802158710
cdeccaed -716915723
acbcaeec 1305042273
eeeeaebd 1629794057
-
ccdccbeb
1862546954

8/14
Assume that you have the following hashed password value 1446259833, and you want to
find the corresponding password.
How will you proceed:
i. The hash value 1446259833 is not in the Hash2 column.
ii. You need to perform the following two operations:
• apply the reduce function to 1446259833
• then you hash the resulting value
iii. You obtain the following value: 1629794057
iv. Checking table 2, we find that hash value is in the 4th row.
v. The password you're looking for is almost certainly somewhere in fourth row of the
table.
vi. This means that your password is somewhere in the chain formed by the fourth row,
from the initial passwd (password 0) to hash2.
vii. At that point, you start with the starting password for row four for row four,
“eeeeaebd”
viii. Then you keep regenerating the chain (hash /reduce) until you find the value you're
looking for.
ix. In the above example, the password “eeeeaebd” is hashed into 537636003 which is
reduced into “bddcdaad” which is hashed into 1446259833.
x. Congratulations you cracked the password “bddcdaad”.

Another view of the algorithm from Wikipedia

Example(using figure 4 as the rainbow chain)

i. Starting from the hash ("re3xes") in the image below, one computes the last reduction
used in the table and checks whether the password appears in the last column of the
table (step 1).
ii. If the test fails (rambo doesn't appear in the table), one computes a chain with the two
last reductions (these two reductions are represented at step 2)
a. Note: If this new test fails again, one continues with 3 reductions, 4
reductions, etc. until the password is found. If no chain contains the password,
then the attack has failed.
iii. If this test is positive (step 3, linux23 appears at the end of the chain and in the table),
the password is retrieved at the beginning of the chain that produces linux23. Here we
find passwd at the beginning of the corresponding chain stored in the table.
iv. At this point (step 4), one generates a chain and compares at each iteration the hash
with the target hash. The test is valid and we find the hash re3xes in the chain. The
current password (culture) is the one that produced the whole chain: the attack is
successful.

9/14
The overall algorithm corresponds to the following steps:

a) Check if the hash value is in the list of final hashes, if it is there break out of the loop.
b) If it isn't there then
 If you exhausted the entire chain, then you failed cracking the password
 Else
i. reduce the hash into another plaintext,
ii. and hash the new plaintext .
iii. Goto to A
c) If the hash matches one of the final hashes, then
 the chain for which the hash matches the final hash contains the original hash.
 Get to the starting plaintext of the that row, and keep hashing/reducing until you
get to the password. (kestas.kuliukas.com)

10/14
F. Vulnerability of challenge-response authentication to rainbow tables
Just imagine that a hacker launched a man-in-the-middle attack on this protocol. Look at the
scenario below:
User
When a user U wishes to
connect to a host H
U types in his/her login which
is sent to H.
User U uses his/her password
P and computes R = h (P, W)
User U sends R to H
U is denied access
Intruder Host
H replies by sending to U: a
random string C, and a hash
function h.
Intruder I impersonates H, H computes R1= h(P,C)
and sends a pre-selected
string W to the user U.
R is received by intruder I
Intruder I looks up the
rainbow tables for R
Intruder gets P
R has reached H
H compare R and R1
Intruder knows U R is not equal to R1
password
U is not aware that his/her
password P has been
stolen.
11/14
G. Building the mini-hacking tool for to break challenge-response-based protocols.
Now that you know what rainbow tables are, you are ready to build a tool that breaks
challenge-response-based protocols.
Your task will assume that that you were able to grab both the challenge and the response
to challenge. You don’t have to worry how the MITM attack was realized.
We assume further that when the host sends a challenge to the user is also sends a specific
hash function to be used. Therefore you the intruder, know three items:
• The challenge W
• The function h
• And the result R= h(P,W)

Your objective is to build a mini-hacking tool that finds , using rainbow tables. This
type of attacks works offline.
Your tool should be able to:
 build a set of rainbow tables given a challenge G, and a set of plaintext passwords.
 The rainbow tables should be built using passwords of 6 characters extracted from
the wordlist dictionary.
 Once you built the rainbow tables corresponding to a particular challenge W , then
given as input the hashed value sent by the user, the tool should be able to crack the
password.
 Your tool should be able to work with the MD5 hash functions.

12/14
 H. Marking of the assignment:

Task Weight (100 marks)

Algorithm design 50%
The pseudo code of your algorithms, 30%
The data structures you selected to use and their sizes 20%
Programming of the algorithms 50%
The C++ code/ results of the runs 30%
Screen shots of your test runs. 20%

I. Input/output requirements for your algorithms:

Your tool should take two inputs:
 the challenge W,
 and the hash R sent by the user ( hash(W, password)
Your output should be :
 The rainbow tables and the time taken to generate the starting and ending tables.
 Then, for each value of R:
o The user’s password
o The time taken to crack the password.

III. Submission of your work

You should submit your work by the specified deadline. On the day of the submission:
a. You should demonstrate to the lab instructor that your application run.
b. You should submit a type-written hard copy that includes:
 The pseudo code of your algorithms,
 The data structure s you selected to use and their size
 The C++ code
 Screen shots of your runs.
J. Hints:
 The following URL is about comparison of sorting sorting algorithms.
http://ddeville.me/2010/10/sorting-algorithms-comparison/
 This code is an illustrates how the clock function can be used to time your C++
program.
/* clock example: frequency of primes */
#include <stdio.h> /* printf */
#include <time.h> /* clock_t, clock, CLOCKS_PER_SEC */
#include <math.h> /* sqrt */

int frequency_of_primes (int n) {

int i,j;
int freq=n-1;
for (i=2; i<=n; ++i) for (j=sqrt(i);j>1;--j) if (i%j==0) {--freq; break;}
return freq;
}

int main ()
{
clock_t t;

13/14
 int f;
t = clock();
printf ("Calculating...\n");
f = frequency_of_primes (99999);
printf ("The number of primes lower than 100,000 is: %d\n",f);
t = clock() - t;
printf ("It took me %d clicks (%f seconds).\n",t,((float)t)/CLOCKS_PER_SEC);
return 0;
}
Output:

Calculating...
The number of primes lower than 100,000 is: 9592
It took me 143 clicks (0.143000 seconds).

14/14