[Cryptography] Security Discussion: Password Based Key Derivation for Elliptic curve Diffie–Hellman key agreement

Wed Dec 18 06:58:45 EST 2013

On 12/17/2013 4:58 PM, SafeChat.IM wrote:
> *
> Dear mailing list,
>
> A friend and me are working on a plugin that enables encryption on top 
> of Facebook messaging. The idea is to encrypt messages before they 
> leave the chat client, sending only the cipher to Facebook and decrypt 
> the message on the receiver client, before it is displayed. The plugin 
> automatically realizes which users have it installed and only encrypts 
> these chats.
> *

Very cool!

> *
> Since the reliability of the cryptographic system is a crucial part of 
> the design, I would to discuss the protocol here:
>
> First, we use PBKDF2 to derive a 256 bit data block from a passphrase 
> the user chooses and a salt (the username). We advise the user to use 
> a long and hard-to-guess passphrase. We use Parvez Anandam’s 
> JavaScript implementation [1].
> *
PBKDF2, just like TrueCrypt?  I hope you decide to have better password 
security than those guys.  The PBKDF2 key stretching in TrueCrypt is a 
joke.  You have to find an obscure option to even enable the 2000-round 
SHA256 key stretching, which provides close to no security at all.  The 
kinds of passwords your users on Facebook will actually use have very 
few bits of entropy, and can be guessed by hardware based brute force 
attacks very quickly.

To have much better password protection, take a look at the key 
stretching used in FreeCoin: scrypt.  While it is less effective at 
reducing hardware based password guessing attacks than it should be, 
it's still many thousands of times more effective than SHA-256 based key 
stretching.  I wrote some code that is like scrypt but it understands 
that we should thrash the on-chip cache while keeping the DRAM interface 
at 100% data transfer rates to more effectively beat hardware based 
password guessing.  Scrypt causes a cache miss every cycle, enabling 
hardware that does faster random access to accelerate it's key 
stretching by a factor of maybe 100.  Scrypt also has some undesirable 
properties such as needing to put scrypt parameters along side the salt, 
making it clear that the file is an script based encrypted password 
rather than random junk, reducing deniability.  My code gets around the 
weaknesses in scrypt that I perceived, but please just use scrypt rather 
than untested code. Freecoin proved scrypt works, and that's worth a 
lot.  Also, you guys will naturally do what everyone should be doing: 
perform the key stretching in the browser, not on the server.  For 
example, default Microsoft key stretching is only 1000 rounds of SHA-256 
because it's done in ASP.net on the server rather than in the browser.

Now for my tin hat conspiracy theories: Why is Microsoft so stupid about 
where to perform key stretching?  Why wont the TrueCrypt team adopt 
decent password security?  Why does PGP have 0 key stretching by 
default, and why is my SSH private key encrypted with no key stretching 
and no option to use it?  You want to encrypt Facebook traffic with real 
security?  I just have to wonder if some tall suits with dark sunglasses 
are going to convince you to do otherwise.  My other theory is people 
are really that stupid, whether they write SSH encryption code, PGP, or 
TrueCrypt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131218/ef066fcd/attachment.html>