scrypt a new key derivation function
play

scrypt: A new key derivation function Doing our best to thwart TLAs - PowerPoint PPT Presentation

Aug 22, 2023 •279 likes •507 views

scrypt: A new key derivation function Doing our best to thwart TLAs armed with ASICs Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function scrypt: A new key

  1. scrypt: A new key derivation function Doing our best to thwart TLAs armed with ASICs Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  2. scrypt: A new key derivation function Making bcrypt obsolete Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  3. scrypt: A new key derivation function Are you sure your SSH keys are safe? Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  4. What are key derivation functions? You have a password. You want a generate a derived key from that password. Verifying passwords for user authentication. Encrypting or signing files. In most situations where passwords are used, they are passed to a key derivation function first. In most situations where key derivation functions aren’t used, they should be! Examples of key derivation functions: DES CRYPT [R. Morris, 1979] MD5 CRYPT [P. H. Kamp, 1994] bcrypt [N. Provos and D. Mazi` eres, 1999] PBKDF2 [B. Kaliski, 2000] MD5 (not really a key derivation function!) Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  5. Security of key derivation functions Attack model: Assume that the attacker can mount an offline attack. Attacker has access to /etc/master.passwd and wants to find the users’ passwords. Attacker has an encrypted file and wants to decrypt it. For all reasonable key derivation functions, the only feasible attack is to repeatedly try passwords until you find the right one. This is called a “brute force” attack. If it takes twice as long to check if a password is correct, it will take twice as long to find the right password. . . . as long as the attacker is using the same software as you. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  6. Hardware-based brute force attacks CREDIT: Randall Munroe / xkcd.com Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  7. Hardware-based brute force attacks Some organizations have the resources to design and fabricate custom password-cracking integrated circuits. The US National Security Agency The UK Government Communications Headquarters? The Communications Security Establishment of Canada? The Chinese government? Organized crime? The Electronic Frontier Foundation? Using ASICs, it is possible to pack many copies of a cryptographic circuit onto a single piece of silicon. Moore’s law: Every 18–24 months, a new generation of semiconductor manufacturing processes makes CPUs faster. . . . password-cracking ASICs get faster AND can fit more copies of a password-cracking circuit. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  8. Hardware brute-force attack cost The cost of a hardware brute-force attack is meaured in dollar-seconds. Password cracking is embarrassingly parallel, so if you use twice as much hardware you can crack the key in half the time. Cost of ASICs ≍ size of ASICs. A strong key derivation function is one which can only be computed by using a large circuit for a long time. J. Kelsey, B. Schneier, C. Hall and D. Wagner, 1998: Use “32-bit arithmetic and moderately large amounts of RAM”. An example of a “moderately large amount of RAM”: 1 kB. If we use a ridiculously large amount of RAM, hardware attacks will be even more expensive. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  9. Memory-hard algorithms Definition A memory-hard algorithm on a Random Access Machine is an algorithm which uses S ( n ) space and T ( n ) operations, where T ( n ) 1 − ǫ � � S ( n ) ∈ Ω . Conceptually, a memory-hard algorithm is one which comes close to using the largest amount of storage possible for an algorithm with the same running time. . . . and consequently the largest circuit area possible. The HEKS key derivation algorithm [A.G. Reinhold, 1999] is memory-hard, but it isn’t very secure, since it can be effectively parallelized. Secure key derivation functions require a large die area and a lot of time to compute. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  10. Sequential memory-hard functions Definition A sequential memory-hard function is a function which (a) can be computed by a memory-hard algorithm on a Random Access Machine in T ( n ) operations; and (b) cannot be computed on a Parallel Random Access Machine with S ∗ ( n ) processors and S ∗ ( n ) space in expected time T ∗ ( n ) where S ∗ ( n ) T ∗ ( n ) = O ( T ( n ) 2 − x ) for any x > 0. Not only do memory-hard functions require lots of storage, but they also cannot be parallelized efficiently. If we can find a key derivation function which is sequential memory-hard, it should be very secure against hardware attack. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  11. ROMix Algorithm (ROMix) Given a hash function H, an input B, and an integer parameter N, compute V i = H i ( B ) 0 ≤ i < N and X = H N ( B ) , then iterate j ← Integerify ( X ) mod N X ← H ( X ⊕ V j ) N times; and output X. The function Integerify can be any bijection from { 0 , 1 } k to { 0 . . . 2 k − 1 } . ROMix fills V with pseudorandom values, then accesses them in a pseudorandom order. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  12. ROMix Theorem Under the random oracle model, the class of functions ROMix are sequential memory-hard. The random oracle model is a very standard assumption in proofs relating to hash functions. The proof is roughly 2 pages long. I could probably spend my entire talk explaining the proof. . . . but I won’t. If you’re interested, go read the paper I wrote about this. It’s much easier to prove that an algorithm runs in specified time and space than to prove a minimum bound on the time and space used by any algorithm which computes a function. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  13. scrypt Use PBKDF2 to convert a password into a bitstream. Feed this bitstream to ROMix. Feed the output of ROMix back to PBKDF2 to generate the derived key. Cryptographic primitives used: HMAC-SHA256 Salsa20/8 core The Salsa20/8 core outputs lots of bits very fast, which means that scrypt can use lots of memory. Approximately 1 byte of RAM per 10 clock cycles on a Core 2 processor. We can quickly require a large semiconductor area. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  14. Estimating hardware brute force attack costs It’s hard to get accurate information about how much it costs to build password-cracking machines. Oddly enough, the NSA doesn’t publish this data. The best we can do for most KDFs is to count cryptographic operations and assume that they are responsible for most of the time and die area. This is probably a fairly accurate approximation, since key derivation functions only have a very small amount of non-cryptographic computations. For scrypt we also need to look at the die area required for storage. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  15. Estimating hardware brute force attack costs Approximate circuit complexity and performance for cryptographic primitives, based on a 130 nm semiconductor process: A DES circuit with ≈ 4000 gates of logic can encrypt data at 2000 Mbps. An MD5 circuit with ≈ 12000 gates of logic can hash data at 2500 Mbps. A SHA256 circuit with ≈ 20000 gates of logic can hash data at 2500 Mbps. A Blowfish circuit with ≈ 22000 gates of logic and 4 kiB of SRAM can encrypt data at 1000 Mbps. A Salsa20/8 circuit with ≈ 24000 gates of logic can output a keystream at 2000 Mbps. I’m using 130 nm as a reference point because this is what I could get the most data for. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  16. Estimating hardware brute force attack costs Very approximate estimates of VLSI area and cost: Each gate of random logic requires ≈ 5 µ m 2 of VLSI area. Each bit of SRAM requires ≈ 2 . 5 µ m 2 of VLSI area. Each bit of DRAM requires ≈ 0 . 1 µ m 2 of VLSI area. VLSI circuits cost ≈ 0 . 1$ / mm 2 . These values are based on a 130 nm process circa 2002. These values have a very wide error margin. Non-cryptographic parts of ASICs (e.g., I/O), chip packaging, boards, power supplies, and operating costs could increase password-cracking costs by a factor of 10. Improvements in semiconductor technology since 2002 could reduce password-cracking costs by a factor of 10. Improved cryptographic circuits could reduce costs by a factor of 10. Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

  17. Key derivation functions Non-parameterized KDFs: DES CRYPT MD5 CRYPT MD5 KDFs tuned for interactive logins ( t ≤ 100 ms ): PBKDF2-HMAC-SHA256, c = 86000 bcrypt, cost = 11 scrypt, N = 2 14 , r = 8 , p = 1 KDFs tuned for file encryption ( t ≤ 5 s ): PBKDF2-HMAC-SHA256, c = 4300000 bcrypt, cost = 16 scrypt, N = 2 20 , r = 8 , p = 1 Running time based on a 2.5 GHz Core 2 (aka. my laptop). Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Derivation of the Laplacian in Polar Coordinates We suppose that u is a smooth function of x and y

Derivation of the Laplacian in Polar Coordinates We suppose that u is a smooth function of x and y

Derivation of the Laplacian in Polar Coordinates We suppose that u is a smooth function of x and y , and of r and . We will show that u xx + u yy = u rr + (1 /r ) u r + (1 /r 2 ) u (1) and | u x | 2 + | u y | 2 = | u r | 2 + (1 /r 2 ) | u

309 views • 3 slides
How the Concept of Shannons Derivation: . . . Shannons Derivation . . . Case of a

How the Concept of Shannons Derivation: . . . Shannons Derivation . . . Case of a

Types of Uncertainty: . . . Need to Compare . . . Traditional Amount of . . . How to Extend These . . . How the Concept of Shannons Derivation: . . . Shannons Derivation . . . Case of a Continuous . . . Information Can Be Partial

615 views • 14 slides
Architecture, Design and Implementation of a Mathematical Derivation Editor Johannes Eriksson

Architecture, Design and Implementation of a Mathematical Derivation Editor Johannes Eriksson

Architecture, Design and Implementation of a Mathematical Derivation Editor Johannes Eriksson What is the Derivation Editor? The Mathematical Derivation Editor (nicknamed Mathedit) is work in progress; it aims be a useful tool for

274 views • 24 slides
Definiton: Derivation tree Let G = ( V, T, S, P ) be a cfg. An ordered tree is called a derivation

Definiton: Derivation tree Let G = ( V, T, S, P ) be a cfg. An ordered tree is called a derivation

Definiton: Derivation tree Let G = ( V, T, S, P ) be a cfg. An ordered tree is called a derivation tree for G if the root is labelled S every interior vertex has a label from V Every leaf has a label from T { } If a vertex has

371 views • 11 slides
Overview 1. Simple calculus calculating language for mathemetical function evaluation, derivation

Overview 1. Simple calculus calculating language for mathemetical function evaluation, derivation

COMS W4115 Project Calcul 2 Junde Huang (jh3419) Kewei Ge (kg2481) Jinxi Zhao (jz2540) Wenting Yin (wy2214) Zhan Shu (zs2242) Final Report http://t.cn/8k0USe2 Overview 1. Simple calculus calculating language for mathemetical function

613 views • 10 slides
A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante

A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante

A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW July 1, 2003 Contributions Protocol derivation Build

664 views • 30 slides
BY MAHMOOD SHARIF JOINT WORK WITH ORR DUNKELMAN AND RITA OSADCHY Motivation Key-Derivation:

BY MAHMOOD SHARIF JOINT WORK WITH ORR DUNKELMAN AND RITA OSADCHY Motivation Key-Derivation:

PRIVACY PRESERVING KEY-DERIVATION FROM BIOMETRICS: CLOSING THE GAP BETWEEN THEORY AND PRACTICE BY MAHMOOD SHARIF JOINT WORK WITH ORR DUNKELMAN AND RITA OSADCHY Motivation Key-Derivation: generating a secret key from information possessed by

561 views • 34 slides
Compilers Derivations Alex Aiken Derivations A derivation is a sequence of productions S

Compilers Derivations Alex Aiken Derivations A derivation is a sequence of productions S

Compilers Derivations Alex Aiken Derivations A derivation is a sequence of productions S A derivation can be drawn as a tree Start symbol is the trees root For a production X Y 1 Y n

263 views • 22 slides
Combining Models Oliver Schulte - CMPT 726 Bishop PRML Ch. 14 Combining Models: Some Theory

Combining Models Oliver Schulte - CMPT 726 Bishop PRML Ch. 14 Combining Models: Some Theory

Combining Models: Some Theory Boosting Derivation of Adaboost from the Exponential Loss Function Combining Models Oliver Schulte - CMPT 726 Bishop PRML Ch. 14 Combining Models: Some Theory Boosting Derivation of Adaboost from the Exponential

655 views • 50 slides
Chapter 12 How do you get a derivation from a Phrase Structured Grammar GV,T,S,P

Chapter 12 How do you get a derivation from a Phrase Structured Grammar GV,T,S,P

Chapter 12 How do you get a derivation from a Phrase Structured Grammar GV,T,S,P ICS 6B Suppose a phrasestructured grammar has Boolean Algebra &amp; Logic productions: S ABa, A BB, B ab, AB b 1

288 views • 8 slides
From Mathematics to Abstract Machine A formal derivation of an executable Krivine machine Wouter

From Mathematics to Abstract Machine A formal derivation of an executable Krivine machine Wouter

From Mathematics to Abstract Machine A formal derivation of an executable Krivine machine Wouter Swierstra Radboud University Nijmegen w.swierstra@cs.ru.nl This paper presents the derivation of an executable Krivine abstract machine from a

563 views • 15 slides
Derivation of 1d and 2d GrossPitaevskii equations for strongly confined 3d bosons Lea Bomann

Derivation of 1d and 2d GrossPitaevskii equations for strongly confined 3d bosons Lea Bomann

Derivation of 1d and 2d GrossPitaevskii equations for strongly confined 3d bosons Lea Bomann University of T ubingen Venice, 20 August 2019 Problem Results Limiting sequences Strategy of Proof In a nutshell Consider N interacting

449 views • 23 slides
Microscopic derivation of (non-)relativistic second-order hydrodynamics from Boltzmann Equation

Microscopic derivation of (non-)relativistic second-order hydrodynamics from Boltzmann Equation

Microscopic derivation of (non-)relativistic second-order hydrodynamics from Boltzmann Equation Teiji Kunihiro Dep. Physics, Kyoto U. based on work done with S. Ei, K. Fujii, and K. Ohnishi, K.Tsumura and Y. Kikuchi Strangeness and charm in

629 views • 50 slides
Deductive Derivation and Computerization of Semiparametric Efficient Estimation Constantine

Deductive Derivation and Computerization of Semiparametric Efficient Estimation Constantine

Deductive Derivation and Computerization of Semiparametric Efficient Estimation Constantine Frangakis, Tianchen Qian, Zhenke Wu, and Ivan Diaz Department of Biostatistics Johns Hopkins Bloomberg School of Public Health November 10, 2014

240 views • 21 slides
Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Orr Dunkelman, Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work with Mahmood Sharif and Margarita Keeps Your Privacy Osadchy Overview Motivation Background : The Fuzziness Problem

810 views • 53 slides
Function Calls Function Calls Python supports expressions with math-like functions A

Function Calls Function Calls Python supports expressions with math-like functions A

Module 3 Function Calls Function Calls Python supports expressions with math-like functions A function in an expression is a function call Function calls have the form name (x,y,) function argument name Arguments are

333 views • 20 slides
Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its origins can be traced back to the 90s. But what is IKE and why should it run on NetBSD? BSDCan 2020 Andrew Cagney freenode.net #swan cagney

681 views • 40 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1

Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1

Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1 Background High latency slow Rx slow AFS 32 window 1389 packetsize / 10 msRTT = 4 . 24 MiB / s 255 window 1389 packetsize / 10

295 views • 11 slides
Post-Quantum Cryptography Johannes Buchmann and Nina Bindel 16.01.2015 | 1 Public-key

Post-Quantum Cryptography Johannes Buchmann and Nina Bindel 16.01.2015 | 1 Public-key

Post-Quantum Cryptography Johannes Buchmann and Nina Bindel 16.01.2015 | 1 Public-key cryptography 16.01.2015 | 2 Public-key encryption plaintext plaintext encrypt decrypt ciphertext public secret 16.01.2015 | 3 Digital signatures

896 views • 61 slides
Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin User Bank

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin User Bank

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin User Bank Content Delivery Networks host their customers websites customers origin server Content Delivery Networks host their customers websites

1.21k views • 97 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS &amp; ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS &amp; ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS &amp; ENS . . . . . . . . C x C x C x C C c obfuscation [ BGIRSVY01, H00, GR07, GGHRSW13 ] . . . . . . . . C x C x C x C C c obfuscation [

1.03k views • 92 slides
How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email: sebastian.porst@zynamics.com Twitter: @LambdaCube 1 Targeted Attacks 2008 Adobe Acrobat Reader; 28.61% Microsoft Word; 34.55% Microsoft PowerPoint; 16.87%

944 views • 52 slides

More recommend