I know I'm late to this discussion, but ...
On 2013-01-13, Caecilius <nos...@spamless.invalid> wrote:
> Drepper says that the code has been "reviewed from security teams at
> HP, IBM, Red Hat, and Sun" , and their names are listed at the top of
> the specification document here:
>
http://www.akkadia.org/drepper/SHA-crypt.txt
Somehow this is managed to evade the attention of the people I know
who study these things.
As Bill Unruh correctly pointed out, if you just compose a hash, you
will eventually hit a loop, where the result of round R is the same
as the result of round Q and you will just loop forever among Q, R,
and all of the things in between.
Assuming that the hash in a prf, then you can calculate your chances
of hitting a loop using Birthday Paradox math on the number of
rounds and the number of possible hash results. So this probably
isn't a real concern for when the number of rounds is just a few
thousands, but it does mean that the system doesn't scale and only
have a maximum number of rounds that should ever be used.
What is completely unanswered for me as I look at that document is
why they think that that scheme is better than PBKDF2, bcrypt, or
scrypt.
Now there are problems with each of those, but a quick inspection
makes me think that Drepper's scheme not only fails to improve upon
existing alternatives, but is inferior to them.
(I'm not sure how widely known scrypt was at the time that SHA-crypt
was proposed, but PBKDF2 had been a standard for a while.)
Depending on needs, if you have to use something available today, my
first recommendation would be scrypt. It is designed to be resistent
to GPU optimization and requires memory as well as time, thus
constraining paralellized attacks. It's drawbacks are that it is new
(so there is less review and fewer libraries that already implement
it for you), and that it can be hard to figure out the appropriate
parameters for your needs.
After that, I would suggest PBKDF2, but using HMAC-SHA-512 as its
prf. Although PBKDF2 wasn't designed to resist GPU optimization,
using a "wide" hash gives it some of that resistence.
bcrypt has the honor of being the first among these. I don't really
know enough about it, but I know that the developers of PBKDF2 and
scrypt were fully aware of bcyrpt, and so that we can hope that the
newer ones are at least as well designed.
PBKDF2, probably because it has been standardized, has been the
best studied, but even then that study has proved insufficient.
There is a design bug discovered in April which, under some very
limited circumstances, means that the attacker only has to perform
half as many "rounds" as the defender.
You can read about my sad experience in learning this. I'm the
"Defender" in this case.
http://blog.agilebits.com/2013/04/16/1password-hashcat-strong-master-passwords/
Also the implementation in OpenSSL fails to use an optimization
which means that if the Defender uses OpenSSL and the attacker uses
an optimized algorithm, then the attacker can use half of the number
of hash compressions as the Defender. This is also discussed in that
article.
For those who are interested in discussion and progress toward
building better password hashing schemes, please take a look at this
project
https://password-hashing.net/
and in particular at the Password Hashing Competition.
I'm sure that everyone here understands that increasing the number
of iterations of such a scheme can only get you so far. The
"strength" of the password hash goes up linearly with the number of
iterations, and it does so at a cost for the legitimate processor.
Consider if you are a large service, authenticating a large number
of clients per second. But the "strenth" gain should (under most
circumstances) increase exponentially with the length of the
password.
But while everyone here undersands that, I've found that when
discussing PBKDF2 with the public, many people want to see the
number of iterations increased even though they could get much more
bang for the buck by making their passwords stronger.
Cheers,
-j
--
Jeffrey Goldberg
http://www.goldmark.org/jeff/
I rarely read top-posted, over-quoting or HTML postings.
Reply-To address is valid.