Using a Bitcoin or Litecoin miner for attacking PBKDF2 / SHA-256

3

I'm wondering if it would be possible to utilize a Bitcoin or Litecoin miner to attack, say, a password database that uses PKBDF2 with HMAC / SHA-256. PBKDF2 uses multiple iterations of a PRF - usually HMAC-SHA1, but sometimes HMAC-SHA-256 - for protecting passwords. The idea is that these calculations have to be performed for each password, so that makes it more difficult for an attacker to test all passwords. The PBKDF2 method is defined in RFC 2898.

Sometimes statements are made that these functions are insecure because of attacks with ASICs and often total amount of Bitcoin SHA-256 hashes is shown as example of what can be done. Now I'm wondering if it would be possible to program a Bitcoin or Litecoin miner to find a password using brute force or a dictionary attack.

Assumptions:

• HMAC SHA-256
• the salt is known
• output of PBKDF2 is 256 bit (the output of the hash) or less
• "high" number of iterations, say 4K to 40K

To do this you would have to program HMAC using a single SHA-256. Furthermore, you probably would have to have a method to perform the iterations. The iterations use the same key (derived from the password) for HMAC but the data is dependent on the previous value. Obviously there also needs to be some way to generate or retrieve the candidate passwords.

Would it be possible to reprogram a miner to do this work, or are all the current miners too specialized to perform such operations? Is there a - possibly older - miner that can be reprogrammed to do this work?

Note that this question is about reprogramming/re-utilizing a hardware device. It is not a generic question of using the Bitcoin network to perform cryptographic tasks.

I've added Litecoin to the mix. Litecoin uses scrypt, which is already a Password Based Key Derivation Function in itself, which uses PBKDF2 as underlying PRF (hope that's OK, no answers yet).

Question was closed 2015-09-24T16:55:59.253

@NateEldredge Good link, didn't find that reference. This is however not about the bitcoin network but about specific miners (as in: the hardware device). The answers of the other question seems only valid for the network itself. – Maarten Bodewes – 2015-09-16T13:49:44.533

Hmm, I just found out about Litecoin by browsing this site. I guess I should probably be looking at Litecoin instead of Bitcoin. scrypt uses PBKDF2 as primitive and asic's seem to be available. – Maarten Bodewes – 2015-09-16T13:59:54.787

2Note carefully the argument you refer to in the second paragraph - it isn't claiming that Bitcoin ASIC miners can be themselves be used to crack SHA-256 passwords, but that they demonstrate that someone could most likely build ASIC SHA-256 crackers with comparable performance at comparable cost (or less). So security planning should assume that an adversary has access to such hypothetical ASIC crackers. – Nate Eldredge – 2015-09-16T16:45:38.847

@NateEldredge Yeah, that's the scary part, because at current speeds many passwords would be a doodle to crack. If you work at THash speeds per device, doing 4K rounds isn't that much anymore. If you could use throwaway miners it would only cost electricity - but that seems to be out of the question. – Maarten Bodewes – 2015-09-16T16:48:37.050

2

Would it be possible to reprogram a miner to do this work, or are all the current miners too specialized to perform such operations?

A Bitcoin mining ASIC can only do a single task, mining, it has no ability to do anything further than take an 80 byte header, hash it, and return a nonce if it has a large enough of zero bits. In terms of applicability to general SHA256 computing tasks, it has no relevance whatsoever. They can not do single SHA256, return under any circumstance but a low hash, and can not hash arbitrary data. Scrypt based ASICs do exist, but they are hardcoded to stupidly low parameters nobody would use for password hashing in the real world, the other caveats also apply.

Is there a - possibly older - miner that can be reprogrammed to do this work?

A FPGA can be reprogrammed to do almost any task you take the time to author a bitstream for, it would be possible in some circumstances use FPGA for attacking hashes. The Bitcoin mining FPGA that were used in around 2013 do not have much relevance however, as they were never designed for high bandwidth performance between the host and the chip. You might have been communicating over a 9600 baud serial connection which is too slow to send any significant amount of data across.

GPUs are generally used for this sort of task instead, where you have extremely fast and low latency connections to the CPU and a high degree of concurrency for computing hashes. The efficiency is not as high as dedicated hardware (FPGA or ASIC), but they are commodity devices which can be used for a lot more of these sort of tasks. A high end card can compute in the order of half a billion SHA256 hashes a second when the input is only several compression rounds long, though it will burn upwards of 400W while doing so.

So, if I understand correctly, hardcoded would be ROM or actual circuits, right? Not EEPROM, flash or other stuff that can be updated using firmware. – Maarten Bodewes – 2015-09-16T14:35:43.700

1An ASIC is literally transistors etched into silicon. – Anonymous – 2015-09-16T14:36:20.930

OK, that's clear, I was just unsure about the level of the interface. I presume even the ASIC's have some kind of CPU that performs distribution tasks, etc. I was not sure about the actual functionality of the ASIC itself. If it can only do scrypt with the parameters for Litecoin then the search ends. If you can confirm this then I will accept the answer. Note that brute force password generation would not require much CPU power and could possibly be performed locally. – Maarten Bodewes – 2015-09-16T14:38:26.630

1

There's no processor on board to speak of, there's registers that take input over a serial interface, and hundreds of hashing cores in each chip which do the actual hashing, they either return a nonce, or a request for new data to hash depending on which outcome they have. In fully built machines a small computer serves work to the chips, of which there might be hundreds in total. On the chip surface, each of the pink squares is SHA256 laid out in discrete transistors. http://s.zeptobars.ru/bitfury-Si-HD.jpg A hashing board filled with chips, waiting for work. https://i.imgur.com/6CJAhwv.jpg

– Anonymous – 2015-09-16T14:43:37.520

Ah super, that fully clarifies any doubt that I had. The first picture would be an interesting addition to the answer by the way. I'll have to buy a new tower rig with graphics cards it seems if I want to perform some white-hat research with regards to hashing passwords. – Maarten Bodewes – 2015-09-16T14:50:11.197