Select Language

Privacy-Preserving Password Cracking: A Protocol for Secure Hash Recovery

Analysis of the 3PC protocol enabling third-party password hash cracking without revealing the hash or cleartext, using predicate encryption and decoy hashes.
strongpassword.org | PDF Size: 4.6 MB
Rating: 4.5/5
Your Rating
You have already rated this document
PDF Document Cover - Privacy-Preserving Password Cracking: A Protocol for Secure Hash Recovery
View PDF Document Download PDF Translate PDF
Home » Documentation » Privacy-Preserving Password Cracking: A Protocol for Secure Hash Recovery

Table of Contents

1. Introduction

Passwords remain the dominant form of user authentication despite industry pushes towards passwordless solutions. Storing password hashes is standard practice, but testing their strength via cracking is resource-intensive. Outsourcing this task to third-party servers introduces significant privacy risks, as both the hash digest and the recovered cleartext are exposed. This paper introduces the Privacy-Preserving Password Cracking (3PC) protocol, which allows a client to leverage a third party's computational power for hash cracking without revealing the target hash or the resulting password.

2. The 3PC Protocol

The 3PC protocol is designed to solve the trust problem in outsourced password cracking. Its core innovation lies in allowing a third party to perform the computationally intensive work while learning nothing about the client's actual data.

2.1 Core Mechanism & Predicate Function

The protocol is built upon the concept of predicate encryption, adapted for hash functions. The client does not send the target hash $H(p)$ directly. Instead, it sends an anonymity set containing the real hash mixed with $k-1$ carefully constructed decoy hashes. The third-party server's role is to crack all hashes in this set using a provided password dictionary or rule set.

The key is the predicate function $f$. The server evaluates a candidate password $p'$ against each hash in the anonymity set. The function is defined such that $f(H(p'), H_i) = 1$ if and only if $H(p')$ matches the hash $H_i$ in the set. The server returns the set of candidate passwords that satisfy $f=1$ for any hash in the set, without knowing for which specific hash (real or decoy) a match was found.

2.2 Decoy Hash Generation & Anonymity Set

Generating plausible decoys is critical for security. Decoy hashes must be indistinguishable from the real hash to the server. The paper proposes generating decoys from a distribution that matches the output space of the target hash function (e.g., NTLM, SHA-256). This ensures $k$-anonymity for the real hash. The client maintains plausible deniability, as even the client cannot cryptographically prove which hash was the original target after submitting the set.

Key Insights

  • Privacy through Obscurity in a Set: Security derives from hiding the real hash among decoys, not from traditional encryption of the hash itself.
  • Shift of Computational Burden: The client's overhead is in generating the anonymity set; the heavy lifting of brute-force/wordlist attacks is fully outsourced.
  • Constant-Time Lookup Promise: The protocol claims to allow lookup time independent of the anonymity set size $k$, bounded only by server IOPS.

3. Technical Implementation & Analysis

3.1 Mathematical Foundation

The protocol's security can be modeled probabilistically. Let $S$ be the anonymity set of size $k$, containing one real hash $H_r$ and $k-1$ decoys $H_{d1}...H_{d(k-1)}$. The probability that the server correctly guesses the real hash after observing the set and the cracking results is at most $1/k$, assuming perfect decoys.

The information leakage $\mathcal{L}$ to the server can be quantified using min-entropy: $\mathcal{L} \leq -\log_2(1/k) = \log_2(k)$ bits. The client can control leakage by adjusting $k$. The predicate function evaluation for a candidate $p'$ across all $k$ hashes can be represented as a vector: $\vec{R} = [f(H(p'), H_1), f(H(p'), H_2), ..., f(H(p'), H_k)]$. A match on any position returns $p'$ to the client.

3.2 Performance & Scalability

The paper argues that the primary bottleneck is not the cryptographic operations but the input/output operations per second (IOPS) of the server's cracking setup (e.g., GPU/FPGA memory bandwidth). Since the server must test each candidate password against all $k$ hashes, the work factor increases linearly in theory ($O(k)$). However, by leveraging efficient batch processing on parallel hardware, the effective slowdown can be minimized, approaching the claimed "constant-time" lookup for practical $k$ values.

4. Experimental Results & Chart Description

The authors implemented a proof-of-concept on an FPGA architecture. While specific performance figures are not detailed in the provided excerpt, the paper claims to demonstrate the protocol's feasibility.

Hypothetical Performance Chart (Based on Protocol Description): A line chart would likely show "Effective Cracking Speed" on the Y-axis (e.g., hashes/second) versus "Anonymity Set Size (k)" on the X-axis. The curve for a traditional attack on a single hash would be a high, flat line. The curve for the 3PC protocol would show a decline as k increases, but the slope would be less steep than a naive linear projection due to optimized batch processing on FPGA/GPU. A third line might represent the "Theoretical Upper Bound (IOPS Limit)," acting as an asymptote for the 3PC curve.

5. Analysis Framework Example Case

Scenario: A freelance penetration tester (Client) retrieves an NTLM hash from a client's system. The password policy is known: 9-character alphanumeric mix. The tester lacks the GPU power for a timely crack.

3PC Protocol Application:

  1. Client Setup: The tester sets a privacy parameter, e.g., $k=100$. The real NTLM hash is $H_{real}$. The client's software generates 99 cryptographically plausible decoy NTLM hashes, creating the anonymity set $S$.
  2. Server Engagement: The tester sends $S$ to a commercial cracking service (Server) with a request to crack all hashes using a dictionary and rules for 9-char alphanumeric passwords.
  3. Server Processing: The server runs its cracking tools. For each candidate password generated, it computes its NTLM hash and checks for a match against all 100 hashes in $S$ in a batch operation.
  4. Result Return: The server returns a list of all passwords that matched any hash in $S$. It does not specify which hash matched.
  5. Client Filtering: The tester knows the original hash $H_{real}$. They compute the hash of each returned password to identify the one that matches $H_{real}$, thus recovering the target password. The other returned passwords correspond to cracked decoys and are discarded.
The server learns only that one of 100 hashes belonged to the tester, but not which one, and sees many cracked passwords without knowing their relevance.

6. Core Insight & Analyst's Perspective

Core Insight: The 3PC protocol is a clever, pragmatic hack that turns a fundamental limitation of cryptography—the one-way nature of hash functions—into a privacy feature. It recognizes that in password cracking, the goal isn't to hide the process but to hide the target and the result within the process's inherent noise. This is less about "unbreakable" crypto and more about strategic information obfuscation, similar in spirit to how mix networks like Tor hide a message's origin within a crowd.

Logical Flow: The logic is sound but hinges on a critical, often overlooked assumption: the ability to generate perfectly indistinguishable decoys. If the server can statistically distinguish real hashes from decoys (e.g., based on frequency in prior breaches, or patterns in hash generation), the $k$-anonymity model collapses. The paper's extension of predicate encryption to hash functions is novel, but the real-world security depends more on the quality of the decoy generation algorithm than on the predicate function itself.

Strengths & Flaws: Its strength is its direct applicability to a real, underserved niche (privacy-conscious pentesters) and its relatively lightweight cryptographic overhead for the client. A major flaw, as with many privacy-preserving systems, is the trust-but-verify paradox. The client must trust the server to correctly execute the protocol and not tamper with the process (e.g., by logging intermediate states to correlate timings). Unlike advanced cryptographic protocols like Fully Homomorphic Encryption (FHE), which provides a stronger theoretical guarantee but is impractically slow (as seen in early implementations like Gentry's seminal work), 3PC trades off absolute cryptographic security for practical efficiency. This is a valid engineering trade-off, but it must be clearly communicated.

Actionable Insights: For security teams, this protocol is a viable tool for secure password audits, especially when compliance (like GDPR) restricts sharing sensitive hashes. The immediate step is to implement and audit the decoy generation module. For researchers, the next frontier is to harden the protocol against active server attacks and to integrate it with other PETs. The future isn't just about making cracking private; it's about building a suite of privacy-preserving security operations, much like the evolution from simple encryption to zero-knowledge proofs in authentication protocols. 3PC is a promising first step in that direction for offensive security.

7. Future Applications & Research Directions

  • Compliance-Driven Security Auditing: Enabling regulated industries (finance, healthcare) to conduct rigorous password strength testing across employee accounts without ever exposing password hashes, even to internal audit teams, aiding GDPR/CCPA compliance.
  • Federated Hash Analysis: Multiple organizations could collaboratively contribute to a cracking effort against a shared threat actor's password dump (e.g., from a ransomware group) without any participant revealing their own internal hashes or seeing others'.
  • Integration with Password Breach Alerting Services: Users could submit an anonymity set derived from their password hashes to a service like "Have I Been Pwned" without revealing the actual hash, enhancing privacy for breach checking.
  • Research Direction - Post-Quantum Resilience: Investigating the protocol's security in a post-quantum context. While hash functions themselves may be quantum-resistant, the decoy generation and predicate function mechanisms need analysis against quantum adversarial models.
  • Research Direction - Active Adversary Models: Extending the security model to consider actively malicious servers that deviate from the protocol (e.g., by introducing side-channels) is crucial for real-world adoption.

8. References

  1. Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. IEEE Symposium on Security and Privacy.
  2. FIDO Alliance. (2022). FIDO: The Future of Fast, Secure, Passwordless Sign-Ins. https://fidoalliance.org/
  3. Gentry, C. (2009). A fully homomorphic encryption scheme (Doctoral dissertation, Stanford University). (For comparison on computational privacy techniques).
  4. NIST. (2020). Digital Identity Guidelines (NIST Special Publication 800-63B).
  5. Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, B. (2009). Password cracking using probabilistic context-free grammars. IEEE Symposium on Security and Privacy.
  6. Zhao, F., & Halderman, J. A. (2019). Measuring the Impact of Password Strength on Guessing Attacks. USENIX Security Symposium.