14-Jun-17 Password hashing: context • Even in a scenario with a good security policy… – Passwords are not sent in plaintext through the network; no keyloggers on the system; strong passwords • … it is still possible to crack passwords via brute force: ~40 bits on average (Florencio and C. Herley, 2007) – Online: several tests – Offline: after stealing database/device • Protection: – Online: (temporarily) block user – Offline: raise the computational cost for each test thwart execution of several tests in parallel 1 Password hashing: costs • Device/databse stores: 1. Plain passwords attack cost = zero 2. Hash (password) attack cost = download pre-computed table (e.g., rainbow table) or use cheap (even free) web service 3. Hash (salt, password) attack cost = 1 hash/test • A few us in modern PCs; can be done in parallel • GPU cluster: >1012 hashes/h cracks 8-char alphanumeric passwords in 5.5h... (https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/) 1 2 3 user password hash salt Saltedhash admin admin oijsdfm 857…30 klfuvmhg oijsdfm 123456 Hash root root pcvjvy 968…14 wjkopfjm ?!? ?!? “MyHyperP#werS pcvjvy ecureP@ssw0rd Hash 2 1 14-Jun-17 Password hashing: costs • Password hashing (with salt) – Configurable costs: t seconds while using m megabytes of RAM; huge penalties if attack trades memory by processing – Configuration: cost imperceptible for legitimate user, but relevant for attackers • Ex.: t = 1s, m = 1GB for local authentication (or remote if execution can be offloaded from the server to clients) • Ex. : t = 100 ms, m = 20 MB for server-side authentication *Configurable 1 processing core 1000 processing cores Algorithm tests/s memory usage tests/s memory usage 1 hash > 10000 < 1 KiB > 10.000.000 a few KiB PBKDF/bcrypt 1 < 1 KiB 1000 (all cores) a few KiB Lyra2/Argon2 1 1 GiB 8 (992 idle cores) 8 GiB Limits parallelism (e.g.: GPU clusters) 3 Password hashing Password hashing ‒ Lyra2: some novel features ‒ Allows legitimate users to take advantage of parallelism on CPUs, without giving much advantage to attackers using GPUs ‒ Protection against dedicated hardware: “slow hash function”, BlaMka ‒ Strong protection against side-channel attacks and against attacks using cheap memory devices (e.g., hard disks) ‒ Note: Argon2 was the winner of the Password Hashing Competition, but its design was modified after the end of the competition, making it more similar to Lyra2… 4 2 .