Key stretching: Difference between revisions

In cryptography, key stretching refers to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key stretching makes such attacks more difficult.

Key stretching is sometimes referred to as "key strengthening", although the latter term originally referred to another technique with significantly different security and performance properties^[vague] (see section 6 of^[1] for a comparison).

Key stretching techniques generally work as follows. The initial key is fed into an algorithm that, running on a given speed of processor, takes a known constant time to apply. The algorithm is constructed so that the delay introduced is acceptable to most users, say one second on a typical personal computer. The output is the enhanced key. The enhanced key should be of sufficient size to make it unfeasible to break by brute force (e.g. at least 128 bits). The overall algorithm used should be secure in the sense that there should be no known way of taking a shortcut that would make it possible to calculate the enhanced key in less time (less processor work) than by using the key stretching algorithm itself.

The key stretching process leaves the attacker with two options: either try every possible combination of the enhanced key (infeasible if the enhanced key is long enough), or else try likely combinations of the initial key. In the latter approach, if the initial key is a password or a passphrase, then the attacker would first try every word in a dictionary or common password list and then try all character combinations for longer passwords. Key stretching does not prevent this approach, but the attacker has to spend much more time on each attempt.

If the attacker uses the same class of hardware as the user, each guess will take the same amount of time to process as it took the user (for example, one second). Even if the attacker has much greater computing resources than the user, the key stretching will still slow the attacker down, since the user's computer only has to compute the stretching function once upon the user entering his/her password, whereas the attacker must compute it for every guess in the attack.

There are several ways to perform key stretching. A cryptographic hash function or a block cipher may be repeatedly applied in a loop (see pseudo code below). In applications where the key is used for a cipher, the key schedule (key set-up) in the cipher may be modified so that it takes one second to perform.

A related technique, salting, protects against time-memory tradeoff attacks and is often used in conjunction with key stretching.

Hash based key stretching

A collision prone simple key stretching method^{[citation needed]}:

key = hash(password)
for 1 to 65536 do
  key = hash(key)

A better simple key stretching method^{[citation needed]}. ("+" denotes the operation of concatenation):

key = ""
for 1 to 65536 do
  key = hash(key + password)

Even better method with a salt^{[citation needed]}:

key = ""
for 1 to 65536 do
  key = hash(key + password + salt)

Many libraries provide functions which perform key stretching as part of their function; see crypt(3) for an example. Note that PBKDF2 is not for generating a hash of a password^{[dubious – discuss]}, but an encryption key from a password. PBKDF2 can be used for both if the number of output bits is less than or equal to the internal hashing algorithm used in PBKDF2 which is usually SHA-1 (160 bits).

Strength and time

For these examples assume that the slowest personal computers in use today (2011) can do about 65000 SHA-1 hashes in one second using compiled code.^{[citation needed]} Thus a program that uses key stretching can use 65000 rounds of hashes and delay the user for at most one second.

Testing a trial password or passphrase typically requires one hash operation. But if key stretching was used, the attacker must compute a strengthened key for each key they test, meaning there are 65000 hashes to compute per test. This increases the attacker's workload by a factor of 65000, approximately 2¹⁶ operations, which means the enhanced key is "worth" about an additional 16 bits in key strength.

The commonly accepted Moore's law implies that computer speed doubles about every 1.5 years. Under this assumption, every 1.5 years one more bit of key strength is plausibly brute-forcible. This implies that 16 extra bits of strength is worth about 16×1.5 = 24 years later cracking, but it also means that the number of key stretching rounds a system uses should be doubled about every 1.5 years to maintain the same level of security. (Since most keys are more secure than necessary, systems that require consistent deterministic key generation will likely not update the number of iterations used in key stretching. In such a case, the designer should take into consideration how long they wish for the key derivation system to go unaltered and should choose an appropriate number of hashes for the lifespan of the system.)

An important consideration to be made is that CPU-bound hash functions are still vulnerable to hardware implementations. For example, the literature provides efficient hardware implementations of SHA-1 in as low as 5000 gates, and able to produce a result in less than 400 clock cycles.^[2] Since multi-million gate FPGAs can be purchased at less than $100 price points,^[3] it follows that an attacker can build a fully unrolled hardware cracker for about $5000.^{[citation needed]} Such a design, if clocked at 100 MHz can try about 300,000 keys/second for the algorithm proposed above. The attacker is free to choose a good price/speed compromise, for example a 150,000 keys/second design for $2500.^{[citation needed]} It's worth noting that the key stretching still slows down the attacker in such a situation, i.e. a $5000 design attacking a straight SHA-1 hash would be able to try 300,000×2¹⁶ = 20 billion keys/second.^{[citation needed]}

To alleviate this problem, the use of memory bound cryptographic functions has been proposed. These functions access large amounts of memory in an unpredictable fashion such that caches are ineffective. Since large amounts of low latency memory are very expensive, or downright impossible with current technology, the would-be attacker is significantly deterred.

History

The first deliberately slow password-based key derivation function was called "CRYPT" and was published by Robert Morris in 1978 for encrypting Unix passwords.^[4] It used an iteration count of 25, a 12-bit salt and a variant of DES as the sub-function. (DES proper was avoided in an attempt to frustrate attacks using standard DES hardware.) It also limited passwords to a maximum of eight ASCII characters. While it seemed a great advance at the time, CRYPT(3) is now considered inadequate. The iteration count, designed for the PDP-11 era, is too low, 12 bits of salt is an inconvenience but does not stop precomputed dictionary attacks, and the 8 character limit prevents the use of stronger passphrases.

Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), use a cryptographic hash, such as MD5 or SHA1, more salt (e.g. 64 bits) and a high iteration count (often 1000 or more). There have been proposals, such as scrypt^[5] to use algorithms that require large amounts of computer memory and other computing resources to make custom hardware attacks more difficult to mount.

In 2009, a new key strengthening algorithm, scrypt, was introduced that demands large amounts of memory to evaluate, limiting the use of custom, highly parallel hardware to speed up key testing.^[6]

Some systems that use key stretching

• PGP, GPG encryption software.
• Wi-Fi Protected Access (WPA and WPA2) wireless encryption protocol in personal mode.
• Some but not all disk encryption software: (See comparison of disk encryption software)
• KeePass, an open source Password manager utility.
• KeePassX, a cross platform (OSX, Linux, Windows) open source password manager.
• Apache .htpasswd "APR1" and OpenSSL "passwd" use 1000 rounds of MD5 key stretching.

See also

• PBKDF2 - a widely used key stretching algorithm
• Key derivation function - Often uses key stretching.
• Hashcash - A somewhat related method.

References

1. Secure Applications of Low-Entropy Keys, J. Kelsey, B. Schneier, C. Hall, and D. Wagner (1997)
2. http://events.iaik.tugraz.at/RFIDSec08/Papers/Publication/04%20-%20ONeill%20-%20Low%20Cost%20SHA-1%20-%20Slides.pdf
3. http://www.xilinx.com/prs_rls/silicon_spart/0333spartan3.htm
4. Morris, Robert; Thompson, Ken (1978-04-03). "Password Security: A Case History". Bell Laboratories. Retrieved 2011-05-09.
5. Scrypt http://www.tarsnap.com/scrypt/scrypt.pdf
6. scrypt: A new key derivation function, Colin Percival, BSDCan 2009, accessed 2011-2-1

• A Password Stretching Method with User Specific Salts by ChangHee Lee and Heejo Lee (2007)
• RFC 2898

External links

• PHP implementation to get a strong hash from a weak password