Password Hashing Competition winner and special recognitions (opens in new tab)

(groups.google.com)

89 pointsearthrise10y ago21 comments

21 comments

16 comments · 5 top-level

tyho10y ago· 6 in thread

Impressive stuff. One of the features of the winner is that you can offload the expensive computation to a client and still maintain the security you would have if it were done on the server. This should hopefully persuade people to use slow hash functions where they otherwise would not due to performance concerns.

ultramancool10y ago

It also allows client-independent strengthening of the hashes, so you don't have to wait for users to login again to be able to increase the strength of all existing hashes.

CWuestefeld10y ago

That's a pretty compelling feature.

nly10y ago

This is trivial to achieve with any hash function.

1 more reply

nullc10y ago

Being able to have the client (which knows the password it offered) do this computation isn't something super special though-- it's something that could be done fine with pbkdf2-- for example.

If fancy client support is really an option it would usually be better to use a zero-knoweldge authentication protocol (like SRP), though one of these KDFs could be used as a preprocessing step.

baby10y ago

> One of the features of the winner is that you can offload the expensive computation to a client and still maintain the security you would have if it were done on the server

Can't you do that with any password hashing alg?

AngrySkillzz10y ago

Yeah, I've heard it called "server relief." Slow password hash is computed on the client, then transmitted to the server and run through a fast hash before being stored.

biot10y ago· 3 in thread

What tools are typically used to develop these algorithms? The site has https://password-hashing.net/faq.html#qd which mentions attempts to formally define the security of a good algorithm though a quick scan of the two papers indicates the definitions are mathematical properties described in English. However, when it comes to implementations is there a generally accepted language/framework in which correctness can be proven? Haskell comes to mind as one such language which its proponents tout as ensuring correctness, though I lack the experience to determine whether this means "your broken algorithm runs 100% correctly" vs. "a broken algorithm will not compile".

ReidZB10y ago

Typically, cryptographic primitives (like block ciphers, hash functions, KDFs, etc) are written in C. Bugs are caught solely by the use of a sharp mind and careful reading.

There are really two reasons for this: (1) optimization is a really big deal; some impls go so far as to have asm for specific architectures or use architecture-specific features like SSE2 and (2) there really isn't very much code for a cryptographic primitive, typically <=1000 lines. (e.g., see https://github.com/khovratovich/Argon2/tree/master/Argon2i/r...).

Once a simple reference implementation is hand-checked, it can be used to generate comprehensive test vectors for other implementations.

This isn't my area of expertise, but I believe there's some research in applied crypto for implementation verification. I know https://github.com/GaloisInc/cryptol is a language that's supposed to help in that regard, but I don't know offhand who all uses that.

technion10y ago

The other reason for C is that the reference implementation is generally expected to eventually have bindings for every other language - a new standard won't flourish if you find out it's hard access to it in your choice of language.

If you can also write an implementation in something such as Haskell, verifying the input/output between the two implementations is a great way to assure it works as expected.

ufo10y ago

Low-level crypto stuff such as block cyphers and hashing functions is usually done in C or assembly language. One of the biggest reasons is that its very hard to avoid timing attacks on higher level languages (when a computation takes a different time to run depending on the inputs an attacker can extract some info about secrets you control). Performance is also really important because the bad guys will use whatever means necessary to speed up their brute-forcing and you don't want to give them too much of an edge.

Another reason for C and assembly is that when everything your algorithm manipulates is a bunch of bytes you don't get much advantage from a type system.

agl10y ago· 2 in thread

Here is the spec for the winner: https://password-hashing.net/submissions/specs/Argon-v2.pdf

ReidZB10y ago

To be clear, that isn't the final spec. AFAIK, we don't yet know the extent of changes that may be made to Argon2. The email says that Argon2 will be the "basis" for the final winner, which could have some interesting results.

ademarre10y ago

> Argon2 will be the "basis" for the final winner

I expect there will be a long review period before the winner is considered suitable for common use. It reminds me of the backlash at NIST for some late changes to the SHA-3 winner, Keccak: https://en.wikipedia.org/wiki/SHA-3#NIST_announcement_contro...

2 more replies

ReidZB10y ago

Hmm. I didn't expect this announcement this soon - at least on the public mailing list, the notion of a winner still seemed very far away. Just 18 days ago: https://groups.google.com/forum/#!searchin/crypto-competitio...

Anyway, as best as I could tell, the consensus on the public mailing list was that the best case for a singular winner would be an amalgamation of four finalists: Argon2, Lyra2, Catena, and yescrypt. Each of them has some properties that are desirable. I'm curious to what extent Argon2 will be modified - and especially curious if the final spec will have tunable parameters / multiple modes or be a one-size-fits-all deal.

Edit: If you're interested in more information, a decent starting place is this paper: https://eprint.iacr.org/2014/881.pdf If you folks want more reading material, I can pull some emails from the mailing list

guelo10y ago

For those like me that weren't aware of this competition here's their website with more info https://password-hashing.net/

j / k navigate · click thread line to collapse

21 comments

16 comments · 5 top-level

tyho10y ago· 6 in thread

ultramancool10y ago

It also allows client-independent strengthening of the hashes, so you don't have to wait for users to login again to be able to increase the strength of all existing hashes.

CWuestefeld10y ago

That's a pretty compelling feature.

nly10y ago

This is trivial to achieve with any hash function.

1 more reply

nullc10y ago

Being able to have the client (which knows the password it offered) do this computation isn't something super special though-- it's something that could be done fine with pbkdf2-- for example.

If fancy client support is really an option it would usually be better to use a zero-knoweldge authentication protocol (like SRP), though one of these KDFs could be used as a preprocessing step.

baby10y ago

> One of the features of the winner is that you can offload the expensive computation to a client and still maintain the security you would have if it were done on the server

Can't you do that with any password hashing alg?

AngrySkillzz10y ago

Yeah, I've heard it called "server relief." Slow password hash is computed on the client, then transmitted to the server and run through a fast hash before being stored.

biot10y ago· 3 in thread

ReidZB10y ago

Typically, cryptographic primitives (like block ciphers, hash functions, KDFs, etc) are written in C. Bugs are caught solely by the use of a sharp mind and careful reading.

Once a simple reference implementation is hand-checked, it can be used to generate comprehensive test vectors for other implementations.

technion10y ago

If you can also write an implementation in something such as Haskell, verifying the input/output between the two implementations is a great way to assure it works as expected.

ufo10y ago

Another reason for C and assembly is that when everything your algorithm manipulates is a bunch of bytes you don't get much advantage from a type system.

agl10y ago· 2 in thread

Here is the spec for the winner: https://password-hashing.net/submissions/specs/Argon-v2.pdf

ReidZB10y ago

ademarre10y ago

> Argon2 will be the "basis" for the final winner

2 more replies

ReidZB10y ago

guelo10y ago

For those like me that weren't aware of this competition here's their website with more info https://password-hashing.net/

j / k navigate · click thread line to collapse