A Future-Adaptable Password Scheme

A Future-Adaptable Password Scheme

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the Proceedings of the FREENIX Track: 1999 USENIX Annual Technical Conference Monterey, California, USA, June 6–11, 1999 A Future-Adaptable Password Scheme Niels Provos and David Mazières The OpenBSD Project © 1999 by The USENIX Association All Rights Reserved Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org A Future-Adaptable Password Scheme Niels Provos and David Mazi eres fprovos,dmg@op enbsd.org The OpenBSD Project the face of increasingly p owerful attackers. Abstract One widespread use of passwords, and a good ex- Many authentication schemes dep end on secret ample of failure to adapt, is the UNIX password passwords. Unfortunately, the length and ran- system. UNIX, a multi-user op erating system, re- domness of user-chosen passwords remain xed quires users to prove their identity b efore accessing over time. In contrast, hardware improvements system resources. A user typically b egins a session constantly give attackers increasing computational by providing her username and secret password to a power. As a result, password schemes such as the login program. This program then veri es the pass- traditional UNIX user-authentication system are word using a system-wide password le. Given the failing with time. imp ortance of keeping passwords secret, UNIX do es not store plaintext passwords in this le. Instead, This pap er discusses ways of building systems in it keeps hashes of passwords, using a one-way func- which password security keeps up with hardware tion, crypt [9], that can only b e inverted by guessing sp eeds. We formalize the prop erties desirable in a preimages. Toverify a password, the login program good password system, and show that the compu- hashes the password and compares the result to the tational cost of any secure password scheme must appropriate hash in the password le. increase as hardware improves. We presenttwo al- gorithms with adaptable cost|eksblow sh, a blo ck At the time of deployment in 1976, crypt could hash cipher with a purp osefully exp ensivekey schedule, fewer than 4 passwords p er second. Since the only and bcrypt, a related hash function. Failing a ma- known way of inverting crypt is to guess preim- jor breakthrough in complexity theory, these al- ages, the algorithm made passwords very dicult gorithms should allow password-based systems to to recover from their hashes|so much so, in fact, adapt to hardware improvements and remain secure that the designers of UNIX felt comfortable leaving well into the future. the password le readable by all users. Today,over 20 years later, a fast workstation with heavily opti- mized software can p erform over 200,000 crypt op- 1 Intro duction erations p er second. Attackers can now exp ediently discover plaintext passwords by hashing entire dic- tionaries of common passwords and comparing the As micropro cessors grow faster, so do es the sp eed results to entries in a password le. crypt nonethe- of cryptographic software. Fast cryptography op ens less still enjoys widespread use, and legacy software many opp ortunities for making systems more se- even forces many sites to keep their password les cure. It renders encryption usable for a wide range readable by all users. of applications. It also p ermits larger values of tun- able security parameters such as key length. In- Todaywehave authentication schemes considerably creasing security parameters makes cryptography more sophisticated than the UNIX password le. In exp onentially or at least sup erp olynomially more practice, however, implementations of these schemes dicult to break, dwar ng any b ene t faster hard- still often dep end on users rememb ering secret pass- ware may o er attackers. Unfortunately, one se- words. There are alternatives, such as issuing sp e- curity parameter|the length and entropyof user- cial authentication hardware to users or giving them chosen passwords|do es not scale at all with com- printed lists of randomly generated access co des, but puting p ower. While many systems require users to these approaches generally inconvenience users or cho ose secret passwords for authentication, few ac- incur additional cost. Thus, passwords continue to tually adapt their algorithms to preserve securityin attacks has centered around communication over play an imp ortant role in the vast ma jority of user- insecure networks. If cryptographic proto cols rely authentication systems. on user-chosen passwords as keys, they may op en themselves up to o -line guessing attacks. Gong This pap er discusses ways of building systems in et. al. [7] suggest several proto col design tricks to which password security keeps up with hardware thwart password guessing by network attackers. Un- sp eeds. We presenttwo algorithms with adaptable fortunately, their most interesting prop osals require cost|eksblow sh, a blo ck cipher with a purp osefully encryption algorithms with unusual and dicult to exp ensivekey schedule, and bcrypt, a related hash achieve prop erties. function. Failing a ma jor breakthrough in complex- ity theory, these algorithms should allow password- Several p eople have designed secure password pro- based systems to adapt to hardware improvements to cols that let users authenticate themselves over and remain secure 20 years into the future. insecure networks without the need to remember or certify public keys. Bellovin and Merritt [2, 3] rst The rest of the pap er is organized as follows. In prop osed the idea, giving several concrete proto- Section 2, we discuss related work on password secu- cols putatively resistant to o -line guessing attacks. rity. In Section 3, we explain the requirements for a Patel [11] later cryptanalyzed those proto cols, but go o d password scheme. Section 4 presents eksblow- p eople have since continued developing and re ning sh, a 64-bit blo ck cipher that lets users tune the others in the same vein. More recent prop osals such cost of the key schedule. Section 5 intro duces the as SRP [16] show promise of b eing secure. variable-cost bcrypt password hashing function and describ es our implementation in the Op enBSD op- Of course, even a secure password proto col requires erating system. Finally, Section 6 compares bcrypt some server capable of validating users with correct to two widely-used password hashing functions. passwords. An attacker who obtains that server's secret state can mount an o -line guessing attack. Because secure password proto cols require public 2 Related Work key cryptography [8], they do have a tunable key length parameter. However, this parameter pri- Password guessing attacks can be categorized by marily controls the diculty of mounting o -line the amountofinteraction they require with an au- attacks without a server's secret state; it only in- thentication system. In on-line attacks, the p erp e- directly a ects the cost of an o -line attack given trator must make use of an authentication system that state. Tuning key length to preserve password to check each guess of a password. In o -line at- guessing costs would have other unintended conse- tacks, an attacker obtains information|such as a quences, for instance increasing message sizes and password hash|that allows him to check password costing servers unnecessary computation. By com- guesses on his own, with no further access to the bining a scheme like SRP with the bcrypt algorithm system. On-line attacks are generally considerably presented in this pap er, however, one can vary the slower than o -line ones. Systems can detect on- cost of guessing passwords indep endently from most line attacks fairly easily and defend against them by other prop erties of the proto col. slowing the rate of password checking. In contrast, once an attacker has obtained password veri cation Whatever progress o ccurs in preventing o -line at- information, the only protection a system has from tacks, one can never rule them out entirely. In fact, o -line attacks is the computational cost of checking the decision to have an op enly readable password p otential passwords. le was not an oversighton the part of the UNIX system designers [9]. Rather, it was a reaction to Techniques for mitigating the threat of o -line pass- the dicultyofkeeping the password le secret in word guessing generally aspire to one of two goals| previous systems, and to the realization that a sup- limiting a system's susceptibility to o -line attacks p osedly secret password le would need to resist or increasing their computational cost. As a simple o -line guessing anyway. This realization remains example of the former, many mo dern UNIX systems equally true to day. Aside from the obvious issues now keep password hashes secret from users, stor- of backup tap e security, attackers who compromise ing them in a read-protected shadow password le UNIX machines routinely make o with the list of rather than in the standard op enly readable one. hashed passwords, whether shadowed or not. Much of the work on preventing o -line password than schemes more closely tied to passwords. For A p o or hashing algorithm not only complicates re- example, without mo difying the core proto cols, ssh covery from break-ins, it also endangers other ma- could easily employ the eksblow sh algorithm pro- chines.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us