Upgrade to Pro — share decks privately, control downloads, hide ads and more …

New developments in password hashing: ROM-port-hard functions (building upon the ideas of scrypt and security through obesity)

E1aa248b34c61c73ef963d4d52f2b78b?s=47 Openwall
November 22, 2012

New developments in password hashing: ROM-port-hard functions (building upon the ideas of scrypt and security through obesity)

Like it or not, password authentication remains relevant (including when used as one of several authentication factors), and password hash database leaks remain a risk. To mitigate the risk impact, computationally expensive (bcrypt, PBKDF2) and more recently also memory-hard (scrypt) password hashing methods have been introduced. Unfortunately, at relatively low target running time and with the need to perform multiple authentication attempts concurrently, scrypt's memory cost ends up being unreasonably low, up to the point where scrypt may not be better than the much older bcrypt. In this talk, Solar Designer proposes and discusses the pros and cons of an alternative approach, where an arbitrarily large lookup table may be used along with any target running time and in parallel by multiple concurrent authentication attempts. With contemporary server hardware, the lookup table may occupy tens of gigabytes of RAM (using it as a site-specific ROM), which limits attackers' use of pre-existing hardware (such as botnet nodes), thereby buying the defender time. Further development of the approach is in use of not only RAM, but also SSDs and potentially even a NAS/SAN based on SSDs. This achieves goals similar to those of the "blind hashing" concept, later dubbed "security through obesity".

E1aa248b34c61c73ef963d4d52f2b78b?s=128

Openwall

November 22, 2012
Tweet

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None