<amunroe at shiftcomm.com>
“JOHN THE RIPPER”
OPEN SOURCE PASSWORD CRACKER OFFERS INCREASED SPEED THROUGH
17 PERCENT IMPROVEMENT IN GATE COUNT FOR DATA ENCRYPTION STANDARD (DES) ALGORITHM
Moscow – June 22, 2011 – Openwall, an open source-based, professional IT and security services company, has released an updated version of “John the Ripper,” a password security auditing tool and open source project, providing the community with significant improvements in the performance of cracking password hashes based on the Data Encryption Standard (DES) algorithm on CPUs. In an effort led by Roman Rusakov and Alexander Peslyak, the Openwall team’s breakthrough for more optimal DES S-box expressions provides a 17 percent improvement over the previous best results. The S-box expressions generated under this effort are being made publicly available, are not copyrighted and are free for reuse by anyone.
“This area has been a struggle for many years,” said Alexander Peslyak, Openwall founder and CTO, and a well-known security researcher. “We are thrilled to finally have an enhanced solution. We expect, and encourage, that many of our fellow password security auditing programs that support DES-based hashes will also make use of these new S-box expressions.”
Since 1998, numerous attempts have been made to arrive at more optimal DES S-box expressions. During the past year, Openwall researchers developed an idea to approach the optimization problem differently and, as a result, were able to design and successfully implement a new algorithm that significantly improves upon the corresponding prior results. This new approach is easily adaptable to arbitrary sets of "logic gates." The team has generated different S-box expressions targeting both typical CPUs with only basic instructions and CPUs/GPUs that have "bit select" instructions. The mentioned improvement over the corresponding previous best results is achieved in both cases.
"The continued improvement of John the Ripper is important to the IT audit field in general because it allows auditors to quickly evaluate system, application and database compliance with corporate password policies based on the user account samples they have selected for an audit. A 20 percent speedup where John the Ripper is used for testing can greatly reduce the time required for password policy validation, particularly for large enterprises," said Erik Winkler, vice president of North America, ControlCase, a compliance management company.
Besides generating simpler S-box expressions in terms of gate count, efficiency of the corresponding program code was considered and thousands of different same-gate-count expressions were created to generate the best possible code for specific CPU and GPU architectures.
Further, the Openwall researchers implemented and ran special-purpose CPU register allocation and code generation algorithms with intertwined S-box expression and code generation stages, allowing for a further performance boost of the resulting program code.
“The researchers at Openwall deserve significant recognition for discovering and providing a new approach to addressing performance-critical S-box expressions. By providing this new approach free-of-charge through John the Ripper, Openwall is making another major impact on the open source and security communities,” said HD Moore, Rapid7® CSO and Metasploit chief architect.
Continuing its active engagement and support for the open source community, Rapid7, the leading provider of unified vulnerability management and penetration testing solutions, has been supporting John the Ripper for the past year in order to help complete the project’s research. As well as sponsoring the development of this latest version of John the Ripper, Rapid7 backed the recent addition of support for Intel AVX and AMD XOP instruction set extensions, as well as parallelization of the bitslice DES implementation with OpenMP (for multi-core and multi-CPU machines). Working with Openwall to support this project has also enabled the Rapid7 team to develop greater technical integration with the John the Ripper solution for upcoming versions of Metasploit®.
This sponsorship adds to Rapid7’s growing community involvement. In 2009, Rapid7 acquired the Metasploit Project, the world’s largest database of public, tested exploits, supporting the project as it became the most widely used penetration testing solution in the market with more than one million unique downloads in the past year alone. In July 2010, Rapid7 announced a sponsorship and partnership with w3af, the open source Web application attack and audit framework, to expand its collaboration with the open source community and further provide the industry with solutions for securing Web and application infrastructure.
Openwall is an open source-based company that provides businesses with cost-effective and secure solutions and services for their information technology needs, including system administration, remote server administration, system integration and consulting. Openwall’s experts manage, contribute to and use open source projects and technologies, including the John the Ripper project, a password auditing tool, and Openwall GNU/*/Linux (Owl) project, a security-enhanced Linux distribution for servers, appliances and virtual appliances. For more information about Openwall, its open source projects and commercial products, including John the Ripper Pro, please visit www.openwall.com.
Rapid7 is the leading provider of unified vulnerability management and penetration testing solutions, delivering actionable intelligence about an organization’s entire IT environment. Rapid7 offers the only integrated threat management solution that enables organizations to implement and maintain best practices and optimize their network security, Web application security and database security strategies.
Recognized as the fastest growing vulnerability management company in the U.S. by Inc. Magazine, Rapid7 helps leading organizations such as Liz Claiborne, the United States Postal Service, Carnegie Mellon University and Red Bull to mitigate risk and maintain compliance for regulations such as PCI, HIPAA, FISMA, SOX and NERC. Rapid7 also manages the Metasploit Project, the leading open-source penetration testing platform with the world’s largest database of public, tested exploits. To obtain a free download of NeXpose® or Metasploit, please visit http://www.rapid7.com/resources/free-downloads.jsp.
For more information, visit www.rapid7.com.