[Cryptography] [PHC] Re: The proper way to hash password files

Arnold Reinhold agr at me.com
Tue May 27 18:33:50 EDT 2014 

On May 27, 2014, at 4:09 PM, Bill Cox <waywardgeek at gmail.com> wrote:

> 
> If I understand this thread correctly (which is often not the case), the basic idea here is to use a special non-disclosed master key to scramble password hashes even more, making it impossible for an offline attacker without the master key to brute force guess any passwords.  This is a great idea, and should be encouraged, IMO.
> 
> This was discussed on the PHC forum (I first learned about it from the Blakerypt paper posted there), and several of the entries, including Catena, Yescrypt, Lyra2, TwoCats and others, support site-specific data fields that get hashed into the password, which can be used to support master keys.  I mention that as my favorite use for the extra parameter in my TwoCats submission.  Even with Yescrypt (the entry with the most defense features), use of such a key is probably a good idea.  A password authentication server with a 1TiB ROM still loads that ROM from disk, and if an attacker gains physical access to it (during maintenance for example), having a master key that never hits disk could be a good thing.

I would load the 1 TB ROM from a plugin hard drive module with a non standard connector that is locked in a two-combination safe with the password authentication server, and never allow access to it from the enterprise network. I would encrypt the ROM on the hard drive with a key stored in password authentication server, so anyone who just steals the module would have nothing. (If I understand things correctly, this is what NSA calls benign key fill.) For maintenance, I’d keep spares in a vault.

> 
> I think for large web sites like eBay, I'd prefer an authentication server with a mongo ROM and lot's of defensive features, rather than a cheap USB/FPGA key.  However, for all the guys out there (like me) who couldn't realistically justify an authentication server costing many thousands of dollars, a cheap USB-dongle sounds good.
> 
> I like the idea of using an FPGA and a microcontroller, and making it all open source and easily verifiable.  I'd say just use a Raspberry Pi or work with the FreedomBox guys, if they were more easily verifiable.  Such a dongle could also potentially be used for micro-transactions and other applications, in addition to hashing passwords, or SRP.  They could be used as secondary authentication factors, too.  If we had a second access port on the "secure" side, maybe it could be used for secure end-to-end encryption (or even VPN) between parties who each have one.  I can think of lots of uses for such a device.  I want one :-)
> 
> Bill

Per previous conversations on the cryptography list, there are lots of security tools that could be built with small microprocessors. I think keeping them each focused and simple is the best approach for now.

Arnold Reinhold

More information about the cryptography mailing list