At CoreLabs, we spend our time thinking a lot about how to improve different aspects of the computer security, and how to advance the state of the art. Sometimes, our ideas become part of the Core family of products. Sometimes, we investigate theoretical state-of-the-art advances to see what shakes out. Read More ..
This blog post is about one of those advances.
Password cracking tables have been known and used for 30 years. Using them allows an attacker to pre-compute a lot of cryptographically strong hash pre-images and store them, using far less storage than what it would require to store all the (hash, plaintext) pairs. Using this technique, lots of tables have been calculated, some collaboratively.
But there is a problem with all of them. If you query a server with a hash, looking for the plaintext, both the server and the client know the resulting (hash, plaintext) pair. If this hash was derived from a password, now this password is known by a third-party (the server).
We asked ourselves, how can we solve this issue? Until now, the only known solution was to host the tables oneself, but that solution means each attacker has to host his own tables.