Rig: A Simple, Secure and Flexible Design for Password Hashing
13 Dec 2014-pp 361-381
TL;DR: Rig as mentioned in this paper is a secure password hashing framework based on secure cryptographic hash functions which provides the flexibility to choose different functions for different phases of the construction and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off).
Abstract: Password Hashing, a technique commonly implemented by a server to protect passwords of clients, by performing a one-way transformation on the password, turning it into another string called the hashed password In this paper, we introduce a secure password hashing framework Rig which is based on secure cryptographic hash functions It provides the flexibility to choose different functions for different phases of the construction The design of the scheme is very simple to implement in software and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off) and is strictly sequential (difficult to parallelize) with comparatively huge memory consumption that provides strong resistance against attackers using multiple processing units It supports client-independent updates, ie, the server can increase the security parameters by updating the existing password hashes without knowing the password Rig can also support the server relief protocol where the client bears the maximum effort to compute the password hash, while there is minimal effort at the server side We analyze Rig and show that our proposal provides an exponential time complexity against the low-memory attack
Citations
More filters
12 Nov 2017
TL;DR: The cumulative memory cost of computing Argon2i is analyzed and a lower bound for Argon2 i is provided which demonstrates that the lower bound is nearly tight.
Abstract: Argon2i is a data-independent memory hard function that won the password hashing competition. The password hashing algorithm has already been incorporated into several open source crypto libraries such as libsodium. In this paper we analyze the cumulative memory cost of computing Argon2i. On the positive side we provide a lower bound for Argon2i. On the negative side we exhibit an improved attack against Argon2i which demonstrates that our lower bound is nearly tight. In particular, we show that
29 citations
29 Nov 2015
TL;DR: It is shown that using $$M^{4/5}$$ memory instead of M the authors have no time penalties and reduce the AT cost by the factor of 25, and a novel ranking tradeoff is developed and applied to yescrypt and Lyra2.
Abstract: We explore time-memory and other tradeoffs for memory-hard functions, which are supposed to impose significant computational and time penalties if less memory is used than intended. We analyze three finalists of the Password Hashing Competition: Catena, which was presented at Asiacrypt 2014, yescrypt and Lyra2.
We demonstrate that Catena's proof of tradeoff resilience is flawed, and attack it with a novel precomputation tradeoff. We show that using $$M^{4/5}$$ memory instead of M we have no time penalties and reduce the AT cost by the factor of 25. We further generalize our method for a wide class of schemes with predictable memory access. For a wide class of data-dependent schemes, which addresses memory unpredictably, we develop a novel ranking tradeoff and show how to decrease the time-memory and the time-area product by significant factors. We then apply our method to yescrypt and Lyra2 also exploiting the iterative structure of their internal compression functions.
The designers confirmed our attacks and responded by adding a new mode for Catena and tweaking Lyra2.
25 citations
TL;DR: This work proposes new and more practical honeyword generation techniques, which achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability, and proposes a new attack model called ‘Multiple System Intersection attack considering Input’.
Abstract: Breach in password databases has been a frequent phenomena in the software industry. Often these breaches go undetected for years. Sometimes, even the companies involved are not aware of the breach. Even after they are detected, publicizing such attacks might not always be in the best interest of the companies. This calls for a strong breach detection mechanism. Juels et al. (in ACM-CCS 2013) suggest a method called ‘Honeywords’, for detecting password database breaches. Their idea is to generate multiple fake passwords, called honeywords and store them along with the real password. Any login attempt with honeywords is identified as a compromise of the password database, since legitimate users are not expected to know the honeywords corresponding to their passwords. The key components of their idea are (i) generation of honeywords, (ii) typo-safety measures for preventing false alarms, (iii) alarm policy upon detection, and (iv) testing robustness of the system against various attacks. In this work, we analyze the limitations of existing honeyword generation techniques. We propose a new attack model called ‘Multiple System Intersection attack considering Input’. We show that the ‘Paired Distance Protocol’ proposed by Chakraborty et al., is not secure in this attack model. We also propose new and more practical honeyword generation techniques and call them the ‘evolving-password model’, the ‘user-profile model’, and the ‘append-secret model’. These techniques achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability. Our proposed techniques overcome most of the risks and limitations associated with existing techniques. We prove flatness of our ‘evolving-password model’ technique through experimental analysis. We provide a comparison of our proposed models with the existing ones under various attack models to justify our claims.
20 citations
Posted Content•
TL;DR: In this paper, an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, such as memory usage and flexibility of the underlying primitives.
Abstract: In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, e.g., memory usage and flexibility of the underlying primitives. Furthermore, we formally introduce two kinds of attacks, called GarbageCollector and Weak Garbage-Collector Attack, exploiting the memory management of a candidate. Note that we consider all candidates which are not yet withdrawn from the competition.
15 citations
08 Dec 2014
TL;DR: In this paper, an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, such as memory usage and flexibility of the underlying primitives.
Abstract: In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, e.g., memory usage and flexibility of the underlying primitives. Furthermore, we formally introduce two kinds of attacks, called Garbage-Collector and Weak Garbage-Collector Attack, exploiting the memory management of a candidate. Note that we consider all candidates which are not yet withdrawn from the competition.
10 citations
References
More filters
TL;DR: Moore's Law has become the central driving force of one of the most dynamic of the world's industries as discussed by the authors, and it is viewed as a reliable method of calculating future trends as well, setting the pace of innovation, and defining the rules and the very nature of competition.
Abstract: A simple observation, made over 30 years ago, on the growth in the number of devices per silicon die has become the central driving force of one of the most dynamic of the world's industries. Because of the accuracy with which Moore's Law has predicted past growth in IC complexity, it is viewed as a reliable method of calculating future trends as well, setting the pace of innovation, and defining the rules and the very nature of competition. And since the semiconductor portion of electronic consumer products keeps growing by leaps and bounds, the Law has aroused in users and consumers an expectation of a continuous stream of faster, better, and cheaper high-technology products. Even the policy implications of Moore's Law are significant: it is used as the baseline assumption in the industry's strategic road map for the next decade and a half.
1,649 citations
01 Feb 2000
TL;DR: The rules of thumb for the design of data storage systems are reexamines with a particular focus on performance and price/performance, and the 5-minute rule for disk caching becomes a cache-everything rule for Web caching.
Abstract: This paper reexamines the rules of thumb for the design of data storage systems Briefly, it looks at storage, processing, and networking costs, ratios, and trends with a particular focus on performance and price/performance Amdahl's ratio laws for system design need only slight revision after 35 years-the major change being the increased use of RAM An analysis also indicates storage should be used to cache both database and Web data to save disk bandwidth, network bandwidth, and people's time Surprisingly, the 5-minute rule for disk caching becomes a cache-everything rule for Web caching
232 citations
Proceedings Article•
06 Jun 1999
TL;DR: It is shown that the computational cost of any secure password scheme must increase as hardware improves, and two algorithms with adaptable cost are presented--eksblowfish, a block cipher with a purposefully expensive key schedule, and bcrypt, a related hash function.
Abstract: Many authentication schemes depend on secret passwords Unfortunately, the length and randomness of user-chosen passwords remain fixed over time In contrast, hardware improvements constantly give attackers increasing computational power As a result, password schemes such as the traditional UNIX user-authentication system are failing with time
This paper discusses ways of building systems in which password security keeps up with hardware speeds We formalize the properties desirable in a good password system, and show that the computational cost of any secure password scheme must increase as hardware improves We present two algorithms with adaptable cost--eksblowfish, a block cipher with a purposefully expensive key schedule, and bcrypt, a related hash function Failing a major breakthrough in complexity theory, these algorithms should allow password-based systems to adapt to hardware improvements and remain secure well into the future
212 citations
25 Jun 2013
TL;DR: BLAKE2 is presented, an improved version of the SHA-3 finalist BLAKE optimized for speed in software, and provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode).
Abstract: We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64-bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode).
189 citations
21 Feb 2005
TL;DR: This work presents a new way to construct a MAC function based on a block cipher that is a factor 2.5 more efficient than CBC-MAC with AES, while providing a comparable claimed security level.
Abstract: We present a new way to construct a MAC function based on a block cipher. We apply this construction to AES resulting in a MAC function that is a factor 2.5 more efficient than CBC-MAC with AES, while providing a comparable claimed security level.
89 citations