Practical Cryptography : Password Hashing

Transcript

1. Jérémy Courtial Password hashing Practical cryptography

2. The Cryptography Club’s Rules

3. Rule #1 Don’t reinvent crypto

4. Rule #2 Don’t reinvent crypto

5. Be aware of the Kerckhoffs Principle Rule #3

6. « The enemy knowns the system »

7. Forget about « security through obscurity »

8. The key is the secret

9. Passwords Management

10. Too obvious to be a rule Never store passwords

11. hash( «mypassword» ) = «AS4F8Z5DG» Hash

12. Easy to compute Can’t be reverted Generate a unique hash

    for a given message Cryptographic Hash Function

13. SHA1( password ) = hash So I just hash it

    ?
14. None

15. Password cracking Dictionary attacks 2 Brute force 1 Rainbow tables

    3

16. Precomputed & optimised tables Time-memory trade-off Crack a SHA1 in

    minutes Rainbow Tables

17. Rule #4 Always salt the password

18. hash( «mypassword» Salt )

19. Salt ) + «d$84:za» hash( «mypassword»

20. Rule #4 bis Always use a good salt

21. Should be random Should be unique Should be long enough

    (at least 16 bytes) Salt 2 1 3 Is not secret 4

22. SHA1( password + salt ) = hash Oh, easy !

23. None

24. Computing power is cheap and specialised

25. GPU & FPGA are the new enemies Moore’s Law is

    your Nemesis Multi-billions SHA1/s on a single machine Cracking

26. With only 20k $ MD5 SHA1 NTLM Hash/s 150 billions

    49 billions 311 billions Crack 8 char. passwords 12h < 48h 6h https://gist.github.com/epixoip/63c2ad11baf7bbd57544

27. Rule #5 You want your password hash function to be

    slow

28. SHA1(SHA1( password + salt )) = hash Better ?

29. None

30. SHA1( hash + salt ) x 10000 And now ?

31. None

32. Follow the rules Rule #1 Rule #2 Rule #3

33. Designed to be slow & hard to parallelised Slow as

    you want Also used for key stretching Key Derivation Function

34. That’s it ! KDF( password, salt, cost ) = hash

35. Some KDFs

36. Well supported & NIST approved Highly configurable CPU-intensive only PBKDF2

37. Password hashing function in OpenBSD More resilient to GPU Less

    configurable : fixed output length, max input length bcrypt

38. Design around RAM usage Very good against GPU/FPGA Relatively new

    (2009) scrypt

39. Rule #6 For password hashing use …

40. For certifications & support For resisting against all hardwares If

    not PBKDF2 and scrypt PBKDF2 bcrypt scrypt

41. Stay tuned Password Hashing Competition https://password-hashing.net

42. Rule #7 Tune the KDF’s cost

43. 10 ms on a multi-users system

44. At least 500ms on the client side

45. Demo by LastPass « We are confident that our encryption

    measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256… » 6/15/2015 - LastPass about compromised servers

46. On the 20k $ beast PBKDF2 with 10k iterations Hash/s

    < 10 000 Crack 8 char. passwords > 2 000 years
47. None

48. Want other than C impl. ? Good luck… Frameworks API

    are usually terrible Find some dedicated project Impl.

49. Offer two-factor authentication Make your system audited by experts Be

    prepared to be hacked Next Steps

50. Remembers rules #1 & #3 Be sure to understand it

    before using it Find the best crypto tool for your needs Conclusion

51. Bibliography Thomas Pornin on security.stackechange.com Colin Percival (scrypt author) blog

    Salted Password Hashing - Doing it Right http://crypto.stackexchange.com OWASP - Cryptographic Storage Cheat Sheet Cryptography Engineering by N. Ferguson & B. Schneier

52. Thank you Questions ? To be continued…