A Moscow-based software maker filed this week for a U.S. patent on a technology it claims will significantly reduce the time it takes to crack computer passwords.
The Russian company, Elcomsoft, said in a statement that it has discovered “a breakthrough technology that will decrease the time that it takes to perform password recovery by a factor of up to 25.”
However, some cryptology experts questioned just how much of a breakthrough the company’s technology really is.
“I don’t think it’s a breakthrough at all,” John Callas, chief technology officer for the global security software company PGP in Palo Alto, Calif., told TechNewsWorld.
He cited research at Columbia Univeristy in New York City in the 2003 to 2005 time frame that described the underpinnings of the Russian firm’s technology.
According to ElcomSoft, it has found a way to harness the combined power of a PC’s Central Processing Unit (CPU) and its video card’s Graphics Processing Unit (GPU).
“The resulting hardware/software powerhouse,” it asserts, “will allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.”
The patent-pending technique can reduce the time for “brute force” password recovery — a trial and error process that requires enormous computing power — from months to days, Elcomsoft maintains.
Callas argues, however, that the Columbia researchers made the connection between cryptography and computer graphics cards long before Elcomsoft’s announcement this week.
“Once you’ve shown you can do cryptography with a graphics card, doing cryptanalysis with a graphics card is really the same sort of thing,” he reasoned.
“Once you’ve heard you can make a frozen daiquiri with a blender, it’s like saying the frozen Pina Colada is a new invention,” he analogized. “It’s not really a new invention. It’s changing the ingredients and realizing the blender works that way.”
“The first person that made the frozen drink made an invention,” he continued. “The second person didn’t do anything.
“To those of us skilled in the art,” he said, “this is completely obvious.”
There have been projects using graphics cards for this purpose before, added Benjamin Jun, vice president for technology for Cryptography Research in San Francisco.
“I applaud this group because I think they’re getting tremendous performance out of this, and it’s a new tool that can be used in breaking keys,” he told TechNewsWorld. “But I don’t think it is the first announcement in this regard.”
Whether Elcomsoft’s technology is patentable or not, it does drastically change the economies involved in cracking passwords.
To obtain the horsepower to compromise passwords, researchers sometimes turn to computers specially designed for the task.
Cryptography Research’s Jun recalled working on the development of such a machine in the late 1990s. Called “Dcrack,” it was used to crack DES (Data Encryption Standard) encryption and cost US$250,000 to build.
Compare that with the cost of Elcomsoft’s solution and it can be seen why some security experts are watching developments in this area very closely.
When ElcomSoft ran some preliminary tests with its password recovery software on Windows NTLM (NT LAN Manager) logon passwords, it found it could increase the recovery speed of a PC by a factor of 20, simply by hooking into the machines’s $150 video card.
Hacker Arsenal Enhanced?
“One of the things that’s very interesting right now is that there’s more computing power in your graphics card than in your CPU,” explained Callas, of PGP, “but it’s very specialized computing power designed for drawing pixels on the screen.”
As it turns out, that specialization is suitable for cryptographic calculations.
“Cyrptographic applications are essentially basic arithmetic done in clever combinations a whole bunch of times,” Callas said. “That sort of repetitive arithmetic is the same thing that you do in graphics operations.”
With the cost of cracking passwords going down, will the risks to society go up?
“It changes the arsenal of what’s available to someone who is doing brute-force attacks,” Jun opined, “but I don’t think that we need to run for hills with respect to today’s cryptography just yet.”