Password hashing competition

from Wikipedia, the free encyclopedia

The Password Hashing Competition ( PHC ) was the selection process for a new password hashing scheme , a scheme for storing passwords or for deriving cryptographic keys from passwords. It was initiated in early 2013 by Jean-Philippe Aumasson and ended in 2015 with the recommendation to use Argon2 as a password hash function in the future .

background

Password hashing is used when logging into a system using a password, for example after starting a computer, and when deriving cryptographic keys from passwords, such as when encrypting partitions. There are only three methods that are widely used: bcrypt , PBKDF2 and scrypt . Of these, only PBKDF2 is standardized by NIST , but this method in particular is very vulnerable to attacks with specialized hardware, such as GPUs , ASICs and FPGAs . It is less the advances in cryptanalysis than the developments in hardware that mean that many passwords can be broken within a short time using dictionary attacks or brute force methods . The newer function scrypt was designed with the aim of preventing precisely these attacks, but its use is limited, especially with web servers. The Password Hashing Competition aims to promote research in this area and to recommend one or more schemes at the end of the selection process.

organization

The Password Hashing Competition is based on transparent selection processes such as the one for selecting the AES block cipher , the eSTREAM process for selecting a stream cipher and the SHA-3 process for selecting a hash function. In contrast to all these selection processes, the PHC is not tied to a specific institution, such as NIST in the case of the AES and SHA-3 or NESSIE in the case of the eSTREAM project. Credibility is only guaranteed by the people involved. These come from industry, universities and state institutions. The PHC has broken new ground before Edward Snowden announced the NSA's influence on cryptographic standards.

The PHC was launched just three years after an official recommendation from NIST on the same topic. Although this suggests a rejection of the recommendation, the PHC does not publicly criticize NIST. Talks are even said to have taken place in which NIST indicated that it would follow the selection process closely. In addition, Meltem Sonmez Turan, a NIST employee, is involved in the PHC.

people

In addition to well-known cryptologists such as Jean-Philippe Aumasson (developer of BLAKE, one of the SHA-3 finalists), developers of existing password hashing schemes are also involved, such as Colin Percival ( scrypt ) and Stefan Lucks ( Catena ). The PHC attaches great importance to not only including expertise from the defensive area, but also from the "offensive" area, i.e. people who are supposed to simulate future attacks, as well as security officers and people from software and hardware development, the latter especially in the area ASICs , FPGAs and GPUs .

Finalists (second round procedure)

Nine finalists were selected from the 22 candidates in the first round:

  • Argon by Alex Biryukov and Dmitry Khovratovich consists of a 5-round AES- 128 encryption with a fixed key as well as XOR and block mutations. Argon benefits from the AES instruction set expansion of modern CPUs . Argon2 was only filed on January 31, 2015 and uses the hash function Blake2b instead of the AES instruction set extension.
  • battcrypt by Steven Thomas has set itself the goal of the encryption feature Blowfish memory intensive ( memory-hard ) to expand. battcrypt is based on bcrypt and internally uses the hash function SHA-512 .
  • Catena by Christian Forler, Stefan Lucks and Jakob Wenzel was presented as an alternative to scrypt even before the PHC. In contrast to scrypt, Catena is immune to cache timing attacks and also more resistant to garbage collector attacks . Version 2.0 alternatively allows two memory-intensive functions: the bit reversal hashing operation (Catena-BRG) and the double butterfly hashing operation (Catena-DBG).
  • Lyra2 by Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo C. F. dos Santos and Paulo S. L. M. Barreto is also based on the scrypt process and, like the Keccak hash function (SHA-3), is based on the Sponge Construction. The cryptocurrency Vertcoin had already announced before the selection of the finalists scrypt to replace Lyra2.
  • Makwa from Thomas Pornin allows a large part of the calculation to be outsourced to external servers. Password and salt are given as a seed in a deterministic random number generator (HMAC-DRBG) and then squared several times modulo a BLUM integer. Similar to the RSA cryptosystem , Makwa's security relies on the factorization problem .
  • Steve Thomas' parallel processes a large number of parallel SHA-512 hash operations and is based on the idea of ​​using GPUs and FPGAs defensively.
  • POMELO from Hongjun Wu consists solely of addition, XOR and rotation operations and does not use any existing cryptographic function. Pomelo is mainly aimed against attacks with GPUs; the modified version v2 is also suitable for defending against other specialized hardware due to its memory intensity.
  • Pufferfish by Jeremi M. Gosney is based on the bcrypt method, but uses 64-bit words and arbitrarily large, password-dependent S-boxes .
  • Yescrypt by Alexander Peslyak is based on the scrypt method and also has a Scrypt compatibility mode with which Scrypt hash values ​​can be calculated. Yescrypt optionally contains, among other things, ROM-based access, which is also intended to ward off attacks using botnets . The cryptocurrency GlobalBoost-Y uses Yescrypt as a method for mining .

winner

On July 20, 2015, it was announced that Argon2 would serve as the basis for the final winner of the Password Hashing Competition. The finalists Catena, Lyra2, Makwa and yescrypt were also given special mention for their specific positive properties. Later in 2015, version 1.2.1 from October 1, 2015 was chosen as the winner by Argon2.

Argon 2

The PHC recommends choosing the winner Argon2 over all previous algorithms in the future:

"We recommend that use you use Argon2 rather than legacy algorithms."

- Password hashing competition

There were initially two variants of Argon2: the Argon2i variant aims to protect against side-channel attacks , while the Argon2d variant is primarily intended to protect against GPU brute force attacks . Argon2d was recommended for cryptocurrencies and backend server authentications, while Argon2i was recommended for frontend server authentications and hard disk encryption. When in doubt, the developers recommended using Argon2i. Both variants have three parameters with which the CPU computing time, the memory consumption and the parallelism can be set.

In March 2017, a version 1.3 of the IETF document was published, which introduces the Argon2id variant as the primary variant and only lists Argon2i and Argon2d as additional variants. Argon2id is a hybrid function, the first part of which is resistant to cache timing attacks , while the second part is intended to prevent a time-memory tradeoff .

A reference implementation in C89-compatible C , which runs on x86 , x64 and most ARM CPUs under Windows , Linux and macOS , has been released as de facto public domain under license CC-0 .

Web links

Individual evidence

  1. ^ Calling email from Jean-Philippe Aumasson Banana Competition Call for Submissions
  2. Mark Dürmuth, Tim Güneysu, Markus Kasper, Christof Paar, Tolga Yalcin, Ralf Zimmermann: Evaluation of Standardized Password-Based Key Derivation against Parallel Processing Platforms. In: Computer Security - ESORICS 2012, Springer-Verlag, Berlin Heidelberg 2012, ISBN 978-3-642-33166-4 , pp. 716-733.
  3. a b Dennis Fisher: Cryptographers Aim to Find New Password Hashing Algorithm, February 15, 2013 . Online article on threadpost.com
  4. James Ball, Julian Borger and Glenn Greenwald: Revealed: how US and UK spy agencies defeat internet privacy and security . In: The Guardian, September 6, 2013.
  5. Jean-Philippe Aumasson: Crypto competitions 13/05/13, Invited talk at University of Passau (PDF; English).
  6. Alex Biryukov and Dmitry Khovratovich: Argon v1: Password Hashing Scheme (Version v1 on GitHub)
  7. Steven Thomas: battcrypt (Blowfish All The Things) (PDF)
  8. Christian Forler, Stefan Lucks, Jacob Wenzel: The Catena Password scrambling Framework. (PDF, 669 KiB) Version 3.2. September 29, 2015, p. 45 , accessed on October 26, 2015 (English).
  9. Marcos A. Simplicio Jr., Leonardo C. Almeida, Ewerton R. Andrade, Paulo CF dos Santos, Paulo SLM Barreto: The Lyra2 reference guide (PDF)
  10. ^ Lyra website: Lyra & Lyra2
  11. coinbrief.net: Vertcoin (VTC) plans algorithm change to Lyra2
  12. Thomas Pornin: The MAKWA Password Hashing Function (PDF)
  13. Steve Thomas: Parallel (PDF)
  14. Hongjun Wu: POMELO: A Password Hashing Algorithm (PDF)
  15. Jeremi M. Gosney: The Pufferfish Password Hashing Scheme ( Memento of the original from January 10, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. (PDF) @1@ 2Template: Webachiv / IABot / password-hashing.net
  16. Alexander Peslyak: yescrypt - a Password Hashing Competition submission (PDF)
  17. Presentation on Openwall.com: yescrypt - password hashing scalable beyond bcrypt and scrypt
  18. Homepage of the cryptocurrency GlobalBoost-Y: Welcome To GlobalBoost-Y
  19. a b PHC candidates. ( Memento from August 11, 2015 in the Internet Archive )
  20. Argon2 specifications , p. 1 and 18, accessed January 8, 2016
  21. Argon2 Specifications , v1.2.1, accessed January 8, 2016
  22. a b password-hashing.net , accessed January 8, 2015
  23. ^ The memory-hard Argon2 password hash and proof-of-work function , accessed on July 23, 2017