Bulk generation of md5 hashes and searching them?

la02012-04-26 22:47:20

Hashing

la0, 2012-04-26 22:47:20

Good afternoon.
The situation is this. On one project, I historically have authorization by hash like accesshash=md5('supersecretttbhnbcxhh'.%APIACCESS%.'secret2')
and I want to check the complexity and time costs for bulk selection, APIACCESS, provided that
APIACCESS has a constant length ( 10) and a small alphabet (20pcs).
It so happened that it is undesirable to change supersecretttbhnbcxhh, but it may have to be transferred to a third party. accesshash is basically public.
After reading a little and thinking with my head, I think that it is possible to generate the so-called rainbow tables and mass brute on them.
I want to try to do it myself (taking into account the insider) in order to have an idea of how dangerous this option is.
Question. What software (preferably under nix) can you recommend for table generation and quick search?
It is clear that I can write it myself, though it will work much slower than the tools that are written by authors more qualified than me.
I do not strive for terms like 5 minutes or 1 hour, but there is a difference in 10 days or 30 * days.
Or maybe someone based on empirical data can estimate the time required for brute force?
*) a rough estimate of the operation of our own generator on Sharpe
Thanks in advance!

Answer the question

In order to leave comments, you need to log in

7 answer(s)

freem4n, 2012-04-27
@la0

The speed of selection (generation + comparison) MD5 by the egb program on a video card priced up to 10 tr. is from 600 million to 1 billion hashes per second.

egorinsk, 2012-04-27
@egorinsk

> APIACCESS has a constant length (10) and a small alphabet (20pcs).
Those. the unknown part of the key has ~45 bits of entropy. This gives us approximately 10^13 options (10 trillion?). Search the web for how fast MD5 is being picked up, for example using a video accelerator, and get the crack time.
As for the rainbow tables, they must be generated first. I suspect that 45 bits is faster to find by brute force. Moreover, when iterating to select that 1, that 10,000 passwords will take approximately the same time.

009b, 2012-04-27
@009b

Rainbow generation is an unrealistically long time.
and to hell with it, let one core work 24 * 7, to hell with it for a couple of weeks / months / years =)
sports is interesting, but Linux md5sum works very quickly.

Anatoly, 2012-04-26
@taliban

If you want to get rid of mass selection, there is one simple way that dramatically increases the selection time: after three incorrect attempts, a pause is made (for example, <number of attempts> seconds ), as a result, the search turns into an ever-increasing wait. Although it depends on what kind of project =)

Genome_X, 2012-04-27
@Genome_X

Well, it’s not necessary to generate at all, most of the table has already been generated and made available for free access (on the same root tracker), all that remains is to download, connect them and work.

freem4n, 2012-04-29
@freem4n

The speed of SHA-256 selection on a video card with 352 cuda cores (low-end in 2010) is 200 million hashes per second.
Most likely, GTX 690 with 3072 cuda cores (~2 billion hashes per second) will be released this year:
So, we have 2 x 1536 CUDA cores clocked at a decent 915 MHz base clock with the possibility of a boost clock of 1019 MHz .
Thus, already this year, and in 2013 with an even more attractive price, we will get a card capable of clicking SHA-256 hashes in the same way as md5 is clicked now.
All hope is only for MD5(UNIX) ;-)

la0, 2012-04-29
@la0

Thank you very much for your comments!
However, my “colleagues on the other side of the monitor” and I came to a normal solution for authorization. Without such crutches.
To all who responded, I added karma :)