Cracking the Off the Grid Password Solution

Annual ADFSL Conference on Digital Forensics, Security and Law 2019

May 16th, 11:00 AM

Cracking the Off the Grid Password Solution Cracking the Off the Grid Password Solution

Matthew J. Miller University of Nebraska at Kearney, [email protected]

Joshua Stroschein Dakota State University, [email protected]

Stephanie Slayden Kansas State University, [email protected]

(c)ADFSL

Follow this and additional works at: https://commons.erau.edu/adfsl

Scholarly Commons Citation Scholarly Commons Citation Miller, Matthew J.; Stroschein, Joshua; and Slayden, Stephanie, "Cracking the Off the Grid Password Solution" (2019). Annual ADFSL Conference on Digital Forensics, Security and Law. 5. https://commons.erau.edu/adfsl/2019/paper-presentation/5

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

http://commons.erau.edu/

http://commons.erau.edu/

https://commons.erau.edu/adfsl

https://commons.erau.edu/adfsl/2019

https://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2019%2Fpaper-presentation%2F5&utm_medium=PDF&utm_campaign=PDFCoverPages

https://commons.erau.edu/adfsl/2019/paper-presentation/5?utm_source=commons.erau.edu%2Fadfsl%2F2019%2Fpaper-presentation%2F5&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Cracking the Off The Grid password solution CDFSL Proceedings 2019

CRACKING THE OFF THE GRIDPASSWORD SOLUTION

Dr. Matthew [email protected]

Dr. Joshua [email protected]

Stephanie [email protected]

University of Nebraska at Kearney, Dakota State University, Kansas State University

ABSTRACT

Authentication and authorization to online sites is a difficult problem to solve without the useof cryptography. The standard method of using passwords is clearly an insecure method ofauthentication. A method of authenticating users utilizing a Latin square was developed by asecurity enthusiast and touted as secure. This paper demonstrates a novel method of crackingthe Latin squares that are used to generate the secure passwords in the Off The Grid (OTG)password management scheme. Our method leverages the cores on Graphics Processing Unit(GPU) using the Compute Unified Device Architecture (CUDA) programming extension toefficiently solve the Latin squares used in the OTG password management solution. Wedeveloped a model that represents the possible states and the constraints of the OTG system.We show that the OTG system leaks information about its Latin square and we providesupporting evidence through examples and computation.

Keywords: Parallel Computing, Passwords, Latin Squares, GPU, CUDA, Authentication,Access Control, Cloud Security

1. INTRODUCTION

The use of passwords has become a typicalmethod of authentication for users of digi-tal systems for the past 30 years. This usewas spawned out of the original Unix sys-tems, where users shared the resources of amulti-user system. During the rise of the In-ternet, these password-based systems werethrust upon users of websites. Users wereeither given an easy to remember passwordor they were allowed to choose their ownpassword for authentication. Websites arethen responsible for storing the secret pass-word that user will use to authenticate to

the server. In the early days, websites wouldstore the password in plain text and simplycompare the password on the server with thepassword that the user entered when authen-ticating.

Attackers have had the ability to gainunauthorized access to Internet connectedcomputer systems as long as computers havebeen connected to the network. When anattacker gains access to a website that haspasswords stored in plain text, then that at-tacker can then easily authenticate as anyuser of the system. The loss of a single pass-word from a single website should not give

c© 2019 ADFSL Page 1

CDFSL Proceedings 2019 Cracking the Off The Grid password solution

the attacker access to a different website,except when the user uses the same pass-word for both sites. With the growth in thenumber of websites that are used for normalday-to-day activities, users do not maintaina unique password for every site.

To thwart password re-use attacks, web-site maintainers have migrated from stor-ing plaintext passwords to storing hashes ofpasswords. When a user selects a new pass-word, the website will hash the password us-ing one of the secure hashing algorithms, likeMD5, SHA256 or SHA512. When the userauthenticates at a later time, the websitewill compute the hash of the given passwordwith the hash that is stored in the database.If they match, it is highly likely that theuser has the correct password. If an attackercan exfiltrate the database of passwords thenthey can try and crack those passwords of-fline. Cracking a hashed password meansthat the attacker will have to guess the pass-word. They can either use brute force, andguess every possible password of a specificlength, or they can use rules based on humanbehavior to guess passwords. Either methodincreases the difficulty for the attacker to beable to take a password from one website anduse it on a different website.

In the creation of public key cryptogra-phy has raised the bar for authenticatingusers (SSH Communications Security, 2018).Users can generate and save a public/pri-vate key pair for authentication purposes.They can then store and share a public keyon a server. If the security of the serveris compromised, then no secret informa-tion is lost. This method of authenticationis extremely difficult to attack, comparedto attacking password based authenticationmethods used by typical websites.

The World Wide Web Consortium (W3C)is a standards body that creates standardsfor the Internet and websites. They havecreated standards for Web commerce, Web

Payments and the Web Of Things(W3C,2019). The W3C has defined the WebAu-thn standard(W3C, 2018) for allowing accessto hardware devices from Internet websites.These hardware devices provide the abilityfor a user to authenticate with a website,without sharing private information to thewebsite. The YubiKey(YubiKey, 2018) is anexample of a hardware device that can beaccessible to websites through the WebAu-thN standard. The YubiKey has the abilityto use the FIDO2 protocol(Alliance, 2018)to authenticate website users. With FIDO2,a device can generate a random asymmet-ric public/private key pair. The device canthen provide the public key as a method ofauthentication for the user. The device hasthe ability to prove that the user possessesthe private key, without exposing the pri-vate key to the website. Thus, the websitedoes not have any secrets to store. The samepublic key can be used for multiple websites,without exposing a sensitive key to multipleparties.

During the past two decades, attackersand computer scientists have been lever-aging the GPU to do more than process-ing graphics. The parallel nature of ren-dering graphics has lead to a vast in-crease in the number of cores on a graph-ics card. In 2009 graphics cards had 8cores and by 2017 a high end graphics cardhas nearly 4000 cores(Wikipedia, 2018a)(Galloy, 2018). Figure 1 shows the vast in-crease in GPU cores over the past decade.This vast increase in computing power bygraphics cards has lead to their use forother purposes. Such examples includethe solving of compute intensive paralleliz-able tasks, such as the simulation of bio-chemical molecules(NVIDIA, 2018-05), ma-chine learning (NVIDIA, 2018-04) and thecracking of password hashes. The Hash-cat program (Hashcat, 2018-05) is a pass-word cracking program that can utilize ei-

Page 2 c© 2019 ADFSL


ther a CPU and/or a GPU to crack passwordhashes. Hashcat has the ability to use either

Figure 1. GPU Cores by Year

brute force attacks, dictionary attacks or acombination of the the two. If an attackerhas the ability to acquire a password hashstored on a website, then they can attemptto crack that password. There are two stan-dard methods that a website can use to hasha password. The first is to run the passwordthrough a secure hashing algorithm. Thenwhen the website attempts to authenticatethe user, it will hash the password providedby the user and see if the hashes match. Theproblem with this method, is that if multi-ple users use the same password, then theirpasswords hashes will be exactly the same.Thus the attacker will only need to attackeach hash once for all the users. To make at-tacks harder, websites are encouraged to salttheir passwords. With salted hashes, eachuser of a website has a unique salt stored onthe website(Wikipedia, 2108). The websitethen concatenates the salt with the passwordand then hashes the concatenated string andstores the salted hash. The stored saltedhash will be different for every user, evenif those users have the same password (eachuser has a unique salt). Thus, the attackerwill have to attack each salted hash, whichwill more difficult than attacking unsaltedpassword hashes.

2. BACKGROUND

The OTG password scheme was developedby Steve Gibson of Gibson Research Corpo-ration (GRC). The description of the systemis located on its project page(Gibson, 2018).He has designed security systems such as theShields Up port scanner, a Spectre and Melt-down detector and a DNS benchmark tool.The OTG system is designed to be printedonto paper and then used off line(thus thename).

The OTG password system works by gen-erating a 26x26 Latin Square. A LatinSquare is a NxN matrix where every rowand every column have exactly one valuefrom 1 to N. The popular Sudoku puzzlesare a more restrictive instance of a Latinsquare. The OTG password system gener-ates a 26x26 Latin square where every cellcontains a single letter of the alphabet. Ev-ery OTG square generated by the GRC web-site is randomly generated. An OTG userwill then print their unique square for usein generating passwords. The OTG websiteprovides directions for the users to use theOTG algorithm, which we will briefly de-scribe below.

2.1 Off The Grid Usage

After the user has created and printed agrid, they are ready to start generating pass-words for websites. The first step is to tracethrough the grid to locate your starting lo-cation. Figure 2 shows an illustration oftracing the amazon.com domain through thegrid. The user locates the “A” (first letterof Amazon) in the very top row of the grid.They then locate the next letter of the do-main “m” and find its location in the samecolumn as the beginning “A” was located.The next letter is Amazon is an “a”. Theuser switches directions and moves horizon-tally in the same row as the “m” to locate thenext “a” in that row. This process continues


Nvidi.iCoresby'lear


until the user has traced through the entiredomain. We will call this location where theuser finishes tracing the domain the start-ing point. The starting point is then usedto generate the password for the website atthat domain.

Figure 2. Tracing through the grid

After the user has located the startingpoint they then trace through the grid togenerate the password. An interesting note,is that the starting location is the last letterof the domain name. The user then locatesthe starting letter in the domain name. Inour example, the user ended at the “n” inAmazon and now they will locate the start-ing “A” in the same row. This example isillustrated in Figure 3. After the user haslocated the “A” in that row the first 2 char-acters of the password are generated. In thisexample the “A” is followed by a “gc”. TheOTG system defines that first to letters ofthe users password are now “gc”. The userthen continues tracking the domain, startingat the ending letter of “c” and they switchfrom moving horizontally to moving verti-cally. They then locate the next letter inthe domain which in this case is the “m” inAmazon. The next two letters of the pass-word are the two letters that follow the “m”in in that column, which is “nz” in this ex-ample. This process continues until the userhas traced through the entire domain name.

In this example the password for Amazon is“gcznegmacmzg”.

Figure 3. Generating a password

2.2 Special Cases

There are a few special cases that occur inthe OTG system. Case 1 is when tracingthe grid, the user can reach a letter that isat the edge of the grid. The user then canuse the “overshoot” method to wrap aroundthe grid. Figure 4 shows how the genera-tion of a password can wrap around the thegrid. Case 2 is when the domain has twoconsecutive letters in a row (aka Facebook).The OTG website does not specify how tohandle this case, but for this case we assumethat the user generates two letters to eitherside of the letters in the same row or column(depending on the current direction of thetrace).

Figure 4. Wrapping Case


M amazon ~ l ~

a c1 :-1

( g e ■+------fnl k - ~

~+------{n) k ~ - ~

■+------fnl k J. i: ~


3. ATTACKING GRIDSWhen attacking the OTG system we assumethat there are websites that have OTG pass-words leaked. The OTG author assumesthat if the passwords to a set of websitesare leaked, then the security of other web-sites will not be affected. Our assumptionis that there exists a set of passwords thatare leaked. In particular, we will have a pairof inputs, the leaked websites domain nameand the leaked password, we coin this in-formation a Domain Name Password (DNP)pair.

The simplest method to attack the OTGwould be to try and generate all possibleLatin squares. But as the OTG websitestates, there are 9.337 x 10426 possible Latinsquares. This type of attack would be infea-sible to use. Thus a more targeted approachis needed, if this system can be attacked.

Figure 5. Example password Generation

We started with the information that wecan glean from the password generation algo-rithm. We will assume that we are startingwith a single users Latin square. In Figure5 we can see that when a user generates apassword using the domain name, the lastletter of the domain is followed by the firstletter of the domain name. Additionally, weknow that the first two letters of the pass-word immediately follow the first letter ofthe domain name. Figure 6 shows the re-strictions on the passwords that are gener-ated. To indicate the restrictions on a Latinsquare the arrow notation will be used. ifA→ BCD is shown, that will mean that Ais followed by zero or more characters in arow and the symbols BCD will be consecu-tive in the users Latin square. Consecutivecharacters will adhere to the wrap around ef-

fect mentioned in Section 2.2 and thus BCDare logically consecutive. In the example inFigure 5 we know that N → AGC is a re-striction on all valid Latin squares that couldgenerate the password for this domain name.

Figure 6. Latin Square Restrictions

A second example that restricts the num-ber of Latin square is in the wrap aroundeffect that can occur (Section 2.2). It is pos-sible both letters from the domain name tobe on the edge of the grid. If this is thecase, then the wrap around will include theoriginal letter in the domain name. Figure7 will illustrate this issue. Suppose the weare starting in column 1 on the letter “A”.The next letter in the domain is the “M”which is in column N (or the last column ofa NxN grid). Due to the wrap around rulethe restriction generated will be A→MABand thus we know that A and M are on theborder of the grid. This restriction severallylimits the number of possible grids that cancreate this domain name password combina-tion. In this example there are only 2 possi-ble locations for the letter A and M (in thatrow). There can also exist the combinationof A → MBA, where the starting domainletter is the last letter in the restriction. Inthis case there are 4 possible locations forthe restriction to be located.

Figure 7. Wrap Around Condition

In addition to the restrictions above wealso can glean information from the chain


Domain Name Password

a~ negmacmzg

Column N

Row


of restrictions. Each step in the generationof the password will leak information aboutthe set of possible Latin squares. In Fig-ure 3 we have the restriction of N → AGC.We also know that the column of the letter“C” is the starting point for the restrictionC → MZN . This process repeats for theentire chain of the password. Additionally,we observed that domain names that containan even number of characters, will initiallystart generating passwords where the user ismoving horizontally through the grid. If thedomain name has an odd number of char-acters, then the user will start by movingvertically through the grid to generate pass-words.

3.1 Testing Model

Our approach is to start with Latin squaresof a size where there is a known exact num-ber of Latin squares possible. For our tests,we started by using Latin squares of size10. To represent domains and passwordsthe letters A-J will be used. For a 10x10Latin square there are 9.98 x 1036 possibletotal squares(Wikipedia, 2018b). We chosea random Latin square to use as the base forwhich to generate passwords from (known asgrid0). After the initial Latin square wasgenerated, a set of random domain nameswas created. For each of the domain namesthe process described in Section 2.1 was usedto generate the password for that domain us-ing grid0. The domain name and passwordpairs are stored in a plain text file. For thisproject we generated a random set of 12,288DNP pairs.

4. LEVERAGING

CUDAThe original solutions to solve this prob-lem were written using multi-threading inthe Java language. Java is a compiled lan-guage, but the speed of operation for a Java

program is significantly slower than runningthe same program in the C language. Ad-ditionally , typical computing systems havebetween 4 and 24 different cores that canrun in parallel. Due to these limitations, theprior implementations were not very efficientat solving the Latin squares.

With the prolific rise in the number ofcores that can be integrated onto a singleGPU the design of the project focused ondesigning a system that would be able toleverage a high number of cores. The currentdesign requires at least 840 cores for the ini-tial phase, but this number is configurable.This number is based off of the number ofpossible grids that are generated by a sin-gle brute force attack on a 10 x 10 Latinsquare. Additionally we focused on develop-ing a CUDA based application, which runson an Nvidia graphics card. CUDA is an ex-tension of the C programming language thatallows a developer to write classic C code,with the ability to write code that runs ona GPU. CUDA allows the programmer todefine code that is run on the host machine(CPU) and on the device GPU. There is aninterface provided by CUDA that allows hostcode to interact with the device. CUDA alsoprovides a mapping between RAM and thedevice memory. This allows the host and thedevice to seamlessly synchronize and trans-fer data. The CUDA drivers take care of theactual copying of data over the bus that con-nect the host machine to the graphics device.

4.1 CUDA ImplementationIssues

CUDA has the advantage of having a vastnumber of raw cores that can be leveragedby an application. This does come at thecost of having a much lower amount RAMthat can be accessed by the graphics card.Typical cards have the ability to address be-tween 4 and 8 gigabytes of RAM. This is con-



trast to the fact that CPU’s can access to anexcess of 128 gigabytes of RAM. The initialdesigns of the CUDA software were designedrecursively. The depth of the recursion wasonly a few hundred calls deep, but this typeof design would crash the CUDA software.The design was then switched to maintainthe state in RAM. The RAM is maintainingby using the CUDA Unified Memory Model.This model allows the programmer to allo-cate memory in both host and device lev-els, and then synchronization is implementedby the compiler and provided by the CUDAdriver software.

The implementation of the system alsohad to take into account that a minimalamount of state could be saved between.The limited amount of RAM available to theGPU forced a depth first approach to solvingthe Latin squares. The state was stored forall the previous computations as if the sys-tem were implemented recursively, but with-out the overhead of calling functions.

4.2 Implementation Details

The starting point of the software was toread in the domain name and the passwordassociated with that domain name. Thisdata was then converted from text to alinked list data structure shown in Listing1. This structure holds a single restrictionA → BCD in a compact form. The integerrepresentation of the characters are storedin the letters array. The direction characterstores if the restriction is either a horizontalrestriction or vertical restriction. The Pathstructure is a linked list, where each restric-tion points to either the next restriction, orpoints to NULL if it is last last one in thelist. This data structure is created one timeduring the reading of the DNP pairs fromthe file.

Listing 1. Path Structure

typedef struct Path

{struct Path ∗ next ;char d i r e c t i o n ;int l e t t e r s [ 4 ] ;char ∗ domain ;char ∗ pass ;} Path ;

The grid structure stores the informationabout the state of the grid, given the pathrestrictions. It is shown in Listing 2. Thegrid maintains a N x N array of charactersthat represent the ASCII character that isat the current location. If the character isunknown, then a sentinel dash character (-) is stored in cell. This allows the grid tobe printed to the console in a easy to readformat. The ok variable stores the result ofif the grid has any errors, when trying toset a character at a particular location. Theerror occurs when either 1) there is alreadya different character in that location or 2)that character is already in the current rowor column. This can occur for any of the 3characters when a path is being traced.

One of the major optimizations that oc-curred when developing this implementationwas the use of bit vectors to store the in-formation about the letters in the rows andcolumns. For example suppose that the pro-gram decides that a “C” should set in Row 1,Column 7. A simple implementation wouldstore the fact that “C” could not be in anycell in Row 1, as well as any Cell in Column7. For a NxN grid, this would require ei-ther a list in every cell N elements for NxNcells or it would require a bit vector for ev-ery cell NxN . These solutions either take upa relatively large amount of space (on thespace limited GPU) or time to go throughevery row and column to check the restric-tions. The optimized solution was to usea single bit vector for every row and everycolumn. This required 2N amount of stor-age for a NxN grid. If the system tries “C”



should set in Row 1, Column 7, then “C” isremoved from the Row 1 bit vector and theColumn 7 bit vector. Each letter is repre-sented by using a bit mask where each letteris 2N where N is the ordinal value of the let-ter in the alphabet. Thus A is 20 = 1, Bis 21 = 2 and C is 22 = 4 and so on andso forth. As the maximum size for a Latinsquare in the OTG system has 26 cells, a sin-gle 32 bit integer can be used to store the bitvector. This representation allows system toset the restrictions in O(2) time and it usesO(2N) space to store these restrictions. Theimplementation uses bitwise or to add a newrestriction and bitwise and to check for theexistence of a restriction. These restrictionsare stored in the grid using the row and colfields of the grid structure.

Listing 2. Grid Structure

typedef struct Grid{int ∗row ;int ∗ c o l ;char ∗∗ C e l l s ;char ok ;} Grid ;

The location data structure is used tostore information about where the system isguessing a restriction will go within a grid.This data structure is shown in Listing 3.The x and y variables are used to store wherethe first letter in a restriction is supposed tobe located. In the example A → BCD theletter “A” is located at (x,y) within the grid.

The type field in the location structure caneither be Full or Partial. A Full search typeis used to go through every combination of xand y coordinates. This is used for the firstrestriction within a path. The Full searchtype is used to generate the primer for thegrids. A full search on a 10x10 grid, thatdoes not have any special case restrictions,generates 840 possible grids. Each of these

grids is then distributed to a different coreon the GPU during subsequent calls. Therest of the restrictions of the path will all bebe partial locations. A full is also used whenthe next DNP pair is searched.

For both the Full and Partial, the systemuses the direction in the path (Listing 1) todetermine how nextX and nextY are incre-mented. For the Partial path, if the restric-tion in horizontal, then nextY and y willremain constant through the loop and thenextX value will increment through the loopfrom index 1 to N .

Listing 3. Location Structure

typedef struct Locat ion{

u i n t 8 t x ;u i n t 8 t y ;u i n t 8 t nextX ;u i n t 8 t nextY ;u i n t 8 t lastX ;u i n t 8 t lastY ;u i n t 8 t type ;u i n t 8 t edge ;

} Locat ion ;

The Location data structure tracks thecurrent location and the system then incre-ments the current location until it has gonethrough all possible locations. If the sys-tem were written recursively, then the statewould be kept track of by the recursive calls,but it had to be done manually. The Statestructure was used to store the state infor-mation. It keeps track of the current Grid,Path and Location. Additionally, the statekeeps track of the information about the to-tal number of iterations and the number ofvalid grids that occurred during those itera-tions. This statistical information helps re-searchers to understand the complexity andthe runtime of the system, when crackingLatin squares.

Listing 4. State Structure



typedef struct State {Grid g r id ;Locat ion l o c a t i o n ;Path ∗ path ;long count ;long i t e r a t i o n s ;

}State ;

The State structure had to be created toaccommodate the problem of recursion inCUDA on the GPU. The developer imple-mented a State structure for every depth ofthe search, such that backtracking to pre-vious states could be accomplished. Everytime a valid grid was encountered, the sys-tem saves the current state, and then clonesthe entire state to the next depth. The al-gorithm then increments the state and per-forms a check to see if the current state canbe incremented. If it cannot be incremented,the algorithm then pops states until it findsone that can be incremented. If there arenone, then the algorithm has finished itssearch.

5. METHODOLOGY

The hypothesis of this research was that theOTG system leaked information with everypassword generated. To prove this hypothe-sis, we first needed to create a Latin squareand a set of DNP pairs. If the OTG sys-tem leaked information, then we should seea lower number of possible grids that wouldneed to be checked, compared to a brute at-tack on all possible Latin squares.

The process we used to test the Off TheGrid system was to generate a randomly gen-erated Latin square of size 10. A programwas developed that would chose a randomset of characters to represent a domain name(repeat letters were omitted). For each do-main name, the algorithm would locate thestarting point, by tracing the path of the

domain name in the Latin square as de-scribed in Section 2.1. The algorithm wouldthen generate the password for each domain.The output of this program was the 12,288unique DNP pairs.

After the DNP pairs were generated, thetesting of the system could begin. Manyshell scripts were created to automate thetask of extracting a particular DNP pair andthen attacking it with the GPU passwordcracking system described in Section 4. Thescripts would either 1) run that DNP pairthrough the password cracking system or 2)combine multiple DNP pairs and run themthrough the password cracking system.

The password cracking system would gen-erate a small amount of log information asit ran. It would time how long the pro-cess took, generate statistical informationand it could even verify that the originalgrid was located at each depth of the search.The statistical information collected wouldcount the number of possible grids that weresearched as well as the number of valid gridsat each depth. The verification that the orig-inal grid was optional and it did not posi-tively influence the algorithms performanceat any point.

For the tests that were run we used theNVIDIA GeForce GTX 970 graphics cards.A server was built using 4 graphics cardsconnected via PCI. These cards fit in a 2Userver chassis, though further research showsthat 8 or more cards can be connected by us-ing USB-to-PCIE convertors. The passwordcracking system is designed to use one graph-ics card at a time, though multiple instancesof the program can be run at the same time.

5.1 Single domain password

To verify that the password cracking systemwas working correctly, all of the 12,288 DNPpairs were run through the system. Fig-ure 8 shows the number of possible gridsgenerated by each DNP pair. The smallest



number of possible combinations was 8 andthe maximum was just less then 13 million.The testing at this stage was to run all thegrids through the cracking system. The dataclearly shows a wide amount of variance be-tween the number of possibility generated bya DNP pair. One property of a Latin Squareis that you can rotate the square 90◦and theproperties of the square remain. Thus, only1/4 of the grids are a result of the originalsquare. Thus, the smallest possible numberof grids that can be generated is 4. A resultof 8 shows that there are two possible grids(each rotated 4 times).

Figure 8. 1 password, Number of PossibleGrids

Figure 9 shows another view of the datagenerated for all 12,288 DNP. The filled por-tion of the grids ranged from 11 to 19 percentwith 1 domain name password combination.For a six character password, more than 90%of the grids (11,104/12,288) yielded 16 char-acter from the final grid while over 51%(6,292/12,288) of DNP generated 18 or morecharacters. This data shows that on aver-age a 6 character password leaks 18 or morecharacters of 100 characters in the grid.

5.2 Two domains

The data presented in Section single showencouraging results. There is data leakagefor each password generated. Given that

Figure 9. 1 password, Percentage of GridFilled

there are 12,288 passwords generated for thefirst stage, it would not be feasible to gener-ate all possible grids pairs in a reasonabletime frame. For example an average grid#10052 had 3,637,872 possible valid gridsand it took 13.96 seconds to run that sin-gle test. When this is multiplied by everypossible grid that we could combine it with,then the time to run all of these grids wouldnot be feasible at this time given the currenthardware in our lab. As the goal of this pa-per is to pinpoint the uppermost bound onthe amount of data leaked by passwords en-coded using this scheme, we opted for a moretargeted approach. The grids that producedthe smallest number of grids were combinedtogether as a set of 2 of DNP pairs.

By combining the smallest grids, the timerequired to combine these DNP was mini-mized. Each grid was combined with allthe other grids in the top 40 (excluding it-self). The test generated 1560 (40x39) dif-ferent sets of 2 grids that were combined,and then ran through the password crackingalgorithm. The top 40 grids had between8 and 88 different valid grids and the filledpercentage ranged from 11% to 15%.

Figure 10 shows the results from gener-ating the possible grids for the combination


14,000,000

12,000,000

10,000,000

8,000,000

6,000,000

4,000,000

2,000,000

a

20

18

16

14

12

10


of two of the top 40 smallest DNP poirs.The number of valid grids ranged from 4 to560. As the grids in this test run were muchsmaller in size, the number of possible gridshad a much smaller variance than in the firsttest.

Figure 10. 2 passwords, Number of PossibleGrids

Figure 11 shows the percentage of the gridthat is filled in the same data set. The per-centage ranged from 13% to 28%. Again, wecan see that data is still being leaked by theuse of the OTG password system. The re-sults of this test were quick and we could seethat running pairs of DNP through the al-gorithm yielded more information than run-ning a single DNP through the system.

Figure 11. 2 password, Percentage of GridFilled

Analysis was done on the top 40 smallestgrids, and the results were intuitive. Theconstraints shown in Section 3, especially inthe wrapping situations yielded the small-est grids. It is clear that if there is a wraparound that occurs, then the resulting pass-word yields a much smaller set of possiblegrids than any other password. Thus thesepasswords were weak, and they would shrinkdown the state space involved. But, thepasswords that were in the top 40 would of-ten combine not just 1 wrap around pass-word, but often 2 or 3 of these in succession.This would force the number of possible validgrids to be very small.

5.3 Optimal Selection

The above approach did not yield a set of op-timal results. Section 5.1 showed that for ev-ery character in a 6 character domain namewe netted 3 characters worth of information(51% of grids yielded 18 characters or more).However, in Section 5.2 we saw that the max-imum number of characters of informationleaked was 28. This means for the two DNPpairs, we yielded 2.3 characters worth of in-formation per character in the passwords.This result is due to the selection of smallgrids over optimal grids that would be com-bined. The optimal set of grids to combinewould be grids that do not contain any over-lap with one another. Then each grid wouldyield the maximum amount of informationwhen run through the password cracking al-gorithm.

To test our theory about selecting the op-timal grids, a group of python programs werewritten to extract the final grids from the loginformation created by the password crack-ing system. These scripts would get the finalgrid’s output and then combine it with thefinal output of other 12,287 grids.

Running the python script on pairs ofDNP pairs, the output resulted in over48,000 combinations that yielded 38 char-


Number of possible Grids

600

500

400

300

200

100

Number of Filled Cells

30

25

20

15

10


acters when combined. This result showsthat if these DNP pairs would be combined,then the for every character in the two do-mains, we yield 3.166 characters of informa-tion leaked. Running one of the optimalpairs through our algorithm yielded the re-sult in 1.5 days, running on a single graphicscard.

Another python script was created to at-tempt to combine the results of combining3 DNP pairs together. The results of thescript were narrowed down to print only thegrids that had more than 55 characters inthe grid. The data shows that more than13,000 of the combined grids had either 56or 57 characters filled in with the grid.

5.4 Estimation of PossibleCombined Grids

Following further analysis of the data, it wasfound that one could estimate the number oftotal grids that the GPU would have to checkfor each password combination. To do so,one would start by parsing the output andobtaining the total grids checked and num-ber of valid grids for each individual pass-word in the desired combination. The com-bination of 2 grids (Grid A and Grid B) isperformed by first computing valid grids forGrid A and then computing all possible gridsthat could occur for Grid B. A pessimistic es-timate is to compute the valid grids for GridA, and then multiplying that by the possiblegrids for Grid B. The computation is donefor Grid A -¿ Grid B and then in reverseGrid B -¿ Grid A. The most accurate esti-mate is the minimum of the two products.

For example, in Grid #1734, it was com-puted that there were 80 possible valid gridsafter computing a total of 6,688 possiblegrids. In Grid #4773 there were 64 total pos-sible valid after computing a total of 86,808possible grids. When these two grids werecombined, our program computed an esti-

mate as shown above. The calculation is per-formed both directions to extract the small-est estimate. For this example, our programwould take (80 ∗ 86, 808) and (64 ∗ 6, 688)to obtain our two estimations. The calcula-tion of Grid #4773 followed by Grid#1734(6,688 x 64) gave us the smaller estimationof 428,032, so we considered it to be the mostaccurate estimate for the combination of thetwo grids.

Figure 12

A test of combining Grid #1734 with Grid#4773 found that it checked an actual to-tal of 162,244 grids. These calculations wereperformed on the top 40 smallest grids. Eachtop 40 grid was combined with every othertop 40 grid. We then calculated the ratioof the actual findings with our estimation,it showed that our approximation was gen-erally an overestimation. In general, the ac-tual number of grids checked was only 65%of our estimate. Figure 12 shows the resultof running the algorithm on the top 40 grids.This is ordered by the number of cells filled.The graph includes grids filled from 15 to 28cells in a 100 cell grid.


2.5

.g 1.5

~

~ l

0.5

Estimating Number of Grids to Check for 2x2s

- Ratio

15 ~ U H 19 W 21 22 23 N 25 26 27 D

Number of Cells Fill ed in Grid


5.5 Example Bounds on FilledGrids

A Latin square that is filled more than 1/2full can become fully solvable. We were ableto compute fillable squares given the state ofa Latin square. For example when the grids#5601,#5939 and #4323 were combined, weyielded a result of 57 unique cells in the Latinsquare. By using an algorithm that checksto see if a cell has only one possible value,we were able to complete 96 cells in the grid.This leaves 4 cells empty where there are twodifferent possible solutions.

- e a g i f b d - c

c g h a j e i b d f

f j d e h c g i b a

e a g h f j d c i b

g d j i c b a f e h

b f i c g d j h a e

d c e b a g h j f i

a i c j b h f e g d

- b f d e i c a - g

i h b f d a e g c j

6. RESULTSThe results of our password cracking systemshowed promise, as we were able to leak in-formation from the OTG Latin square usedto generate website passwords. The resultsof running a single DNP pair through thepassword system was very quick. The timefor a single run ranged from 0-16 secondswith the average taking 4.4 seconds.

The results of combining two differenttop 40 smallest possible grids resulted ingrids that only had 4 possible grids, whichis essentially one grid that is rotated 4times. The average number of grids thathad to be checked with 2 small grids was143,801. The minimum number of gridschecked was 25,884 and the maximum num-ber was 559,504. The grid that resultedin the maximum number (Grids #8016 and

#8273) took only 11 seconds to run and itresulted in 23 of the cells in the grid beingfilled. We also had a combination of Grids#11 and #4797 yielded 25 filled cells withthe number of grids checked at 66,880.

Comparing the results from the abovetwo tests to the computed number of Latinsquares shows a stark difference. For allpossible Latin squares of size 10 there are≈ 9.9x1036 possible Latin squares. We wereable to compute 25% of the grid using only6.6 ∗ 105 computations. Thus if there weretwo more edge case grids that were optimallycombined, 50% of the grid could be filled.This could possibly allow for a grid to besolved in about 1.2∗106 computations. Thisis 30 orders of magnitude less than the totalnumber of Latin squares of size 10.

7. CONCLUSIONS

AND FUTURE WORKOur hypothesis was that given a set of Do-main Name Password pairs, it would be pos-sible to gain information about the originalgrid. We have created a set of constraints,based on the design documents provided bythe creator of the Off The Grid, that canbe used to reduce the state space of pos-sible Latin squares. We have implementedseveral algorithms that represent and attackthe different facets of the OTG system. Wehave given evidence that it is possible to re-duce the amount of work required to crackthe Latin squares used in the OTG passwordsystem. We believe that given the calcula-tions shown in Section 6 we can see that itis possible that the use of Latin squares asa password generation scheme can be com-promised given a small set of passwords. Wehave shown that character in a domain namegenerates about 3 characters of the originalLatin square. If we extrapolate this out toa full size 26x26 (676 cells) Latin square itwould take about 19 domain name password



pairs to fully crack an OTG system. (676 /2 (fill 50% of grid) / 3 (3 characters per do-main character) / 6 (6 character password)).

7.1 Security Considerations

Given the above evidence, we would not rec-ommend using the OTG for generating pass-words for websites. We have shown thatthere are possible weaknesses in the systemthat could allow the original grid to be re-covered. In addition, there is not a methodthat can be used to reset a single password ifthe password is lost. The loss of passwordsoccurs on a regular basis as security breacheshave increased considerably over the pastdecade. Finally, OTG does not support mul-tiple logins names for websites. There area variety of reasons for having multiple ac-counts and the OTG system has no mecha-nism for multiple logins. Additionally, stan-dards like WebAuthn provide a much higherlevel of security using asymmetric encryp-tion.

7.2 Future Work

The first area we would like to pursue moreresearch, we would like to generate morepossible passwords to find more weak DNPpairs. These weak DNP pairs can be used tofind a closer approximation to the theoret-ical bounds that can be used to attack theOTG system.

The second area of future research is theintegration of the entire process into oneseamless tool. Currently there is a CUDAC Program that implements the parallelpassword cracking attacks. There are Bashscripts that parse the output of the passwordcracking and produce CSV outputs whichcan then be parsed and read using Excel.Those results are then manually sorted andused to create the next stage of computa-tion. Additionally, for the optimal computa-tion, we utilize Python scripts to combinethe grids to get a quick handle on which

combinations will yield grids the largest por-tion of a grid to be filled, which is thenrun through a Java program that finds con-strained cells and fills them in. All of theseprograms should be combined into 1 stream-lined system to make the process seamlessand more efficient.

The third area of research is to expand thesize of the grids that we will do processingon. Currently we used a size of grid where wehave an exact size on the number of possiblegrids. We would like to expand the researchto attack grids of size 15, 20 and 26, where26 is the ultimate goal of the research. Thismay require additional hardware and modi-fication of software. The password crackingsoftware is mostly written to accommodatelarger sizes of grids, but the generation ofan initial set of grids and the distributionof those grids to blocks of cores depends onthe size of the input, the number of coreson a GPU and the available RAM on thoseGPU’s. This process would require some finetuning, but should be a straightforward task.

REFERENCES

Alliance, F. (2018, 05). Fido2 project.https://fidoalliance.org/fido2/.Retrieved 2018, fromhttps://fidoalliance.org/fido2/

Galloy, M. (2018, 04). Cpu vs gpuperformance. Retrieved 2018-04-17,from http://michaelgalloy.com/

2013/06/11/

cpu-vs-gpu-performance.html

Gibson, S. (2018, 04). Off the grid.Retrieved 2018-04-17, from https://

www.grc.com/offthegrid.htm

Hashcat. (2018-05). Hashcat, advancedpassword recovery. Retrieved 2018-04,fromhttps://hashcat.net/hashcat/



NVIDIA. (2018-04). Gpu-acceleratedtensorflow. Retrieved 2018-05-01,fromhttps://www.nvidia.com/en-us/

data-center/gpu-accelerated

-applications/tensorflow/

NVIDIA. (2018-05). Gpu-acceleratedgromacs. Retrieved 2018-05-06, fromhttps://www.nvidia.com/en-us/

data-center/gpu-accelerated

-applications/gromacs/

SSH Communications Security, I. (2018,05). Ssh (secure shell). Retrieved2018, fromhttps://www.ssh.com/ssh/

W3C. (2018, 05). Web authentication: Anapi for accessing public key credentialslevel 1. Retrieved 2018-05-06, fromhttps://www.w3.org/TR/webauthn/

W3C. (2019). Web of things. Retrieved2019, fromhttps://www.w3.org/WoT/

Wikipedia. (2018a). Geforce 10 series.Retrieved 2018-04-17, fromhttps://en.wikipedia.org/wiki/

GeForce 10 series

Wikipedia. (2018b). Latin squares.Retrieved 2018-04-17, fromhttps://en.wikipedia.org/wiki/

Latin square

Wikipedia. (2108, 05). Salt (cryptography).Retrieved 2018-05, fromhttps://en.wikipedia.org/wiki/

Salt (cryptography)

YubiKey. (2018, 05). Web authentication:An api for accessing public keycredentials level 1. Retrieved2018-05-06, fromhttps://www.yubico.com/

A. APPENDIX 1.

RESULT OUTPUT

The top 40 smallest Domain Name PasswordPairs are shown in Table 1. Tables 2 and 3show the results of combining pairs of 2 DNPpairs from Table 1 with each other. Thesetables only show the pairs that have onlya single unique result grid (4 possible gridswith rotation).



Table 1. Top 40 Smallest Domain NamePassword Pairs

Grid Number Number Filled Valid503 12 85419 12 84797 14 128179 12 1611873 13 162954 13 245129 12 24645 14 3216 13 401978 13 402606 15 409839 14 4011357 14 409159 14 44758 13 481749 14 485581 13 488997 13 4811181 13 488788 13 524648 15 564773 15 642430 11 7211 13 80933 14 801373 14 801582 13 801734 14 803143 14 805421 14 806221 13 806674 13 807409 12 808276 13 808016 14 841620 13 888064 12 888273 13 889347 13 8810969 15 88

Table 2. Results combining Two DomainName Password pairs

Grids Filled Total Possible Valid503-5419 20 42248 4503-4797 21 27632 4503-8179 24 31432 4503-11873 20 44392 4503-2954 19 25884 4503-5129 21 30632 4503-11181 21 66920 4503-4648 24 64152 4503-933 20 44324 4503-1620 24 62312 4503-10969 22 27232 45419-4797 16 29280 45419-2954 18 28260 45419-16 18 121920 45419-1978 18 121920 45419-758 17 46040 45419-1620 19 68880 44797-8179 22 51880 44797-11873 20 74680 44797-2954 17 46772 44797-5129 21 51560 44797-645 21 46820 44797-16 20 141440 44797-1978 20 141440 44797-9839 23 60128 44797-4648 21 85880 44797-11 25 66880 44797-933 21 57180 44797-1734 20 48604 44797-6674 21 79960 44797-8064 20 46820 44797-10969 20 47760 48179-16 24 270920 48179-1978 24 270920 48179-9347 20 30756 411873-2954 20 30132 411873-11181 18 95704 411873-1620 24 88680 411873-10969 22 34200 42954-5129 21 44844 48064-10969 22 92512 4



Table 3. Results combining Two DomainName Password pairs Continued

Grids Filled Total Possible Valid2954-16 19 213124 42954-1978 19 213124 42954-9839 21 107892 42954-4648 21 103684 42954-11 22 68724 42954-933 20 50184 42954-8064 20 27356 42954-10969 19 28524 45129-16 21 345440 45129-1978 21 345440 45129-10969 22 37200 4645-10969 22 37744 416-11181 20 409008 416-4648 21 362800 416-1734 23 228624 416-1620 23 396880 416-10969 23 217840 41978-11181 20 409008 41978-4648 21 362800 41978-1734 23 228624 41978-1620 23 396880 41978-10969 23 217840 42606-8276 23 126640 49839-9159 20 230756 49839-8273 21 302316 49839-9347 21 183700 49839-10969 24 178636 49159-4648 21 182480 49159-10969 22 91520 4758-1582 18 184792 41749-1734 24 77912 411181-11 24 179320 411181-933 19 123260 44648-1373 25 450960 44648-8273 22 282200 44648-9347 21 252144 44773-11 23 322288 42430-8273 20 160840 42430-9347 21 91424 43143-10969 22 112344 48016-8273 23 559504 4


Documents

Cracking the Off the Grid Password Solution