Catena: A Memory-Consuming Password-Scrambling Framework
نویسندگان
چکیده
It is a common wisdom that servers should store the one-way hash of their clients’ passwords, rather than storing the password in the clear. In this paper we introduce a set of functional properties a key-derivation function (password scrambler) should have. Unfortunately, none of the existing algorithms satisfies our requirements and therefore, we introduce a novel and provably secure password scrambling framework (PSF) called Catena. Furthermore, we introduce two instantiations of Catena based on a memory-consuming one-way functions. Thus, Catena excellently thwarts massively parallel attacks on cheap memory-constrained hardware, such as recent graphical processing units (GPUs). Additionally, we show that Catena is also a good key-derivation function, since – in the random oracle model – it is indistinguishable from a random function. Furthermore, the memory-access pattern of both instantiations is password-independent and therefore, Catena provides resistance against cache-timing attacks. Moreover, Catena is the first PSF which naturally supports (1) client-independent updates (the server can increase the security parameters and update the password hash without user interaction or knowing the password), (2) an optional server relief protocol (saving the server’s resources at the cost of the client), and (3) a variant Catena-KG for secure key derivation (to securely generate many cryptographic keys of arbitrary lengths such that compromising some keys does not help to break others). We denote a password scrambler as a PSF with a certain instantiation.
منابع مشابه
The Catena Password - Scrambling Framework 2 nd Round of the Password Hashing Competition ( PHC )
متن کامل
Memory-Demanding Password Scrambling
Most of the common password scramblers hinder passwordguessing attacks by “key stretching”, e.g., by iterating a cryptographic hash function many times. With the increasing availability of cheap and massively parallel off-the-shelf hardware, iterating a hash function becomes less and less useful. To defend against attacks based on such hardware, one can exploit their limitations regarding to th...
متن کاملCatena: A Memory-Consuming Password Scrambler
It is a common wisdom that servers should better store the one-way hash of their clients’ passwords, rather than storing the password in the clear. This paper introduces Catena, a new one-way function for that purpose. Catena is memory-hard, which can hinder massively parallel attacks on cheap memory-constrained hardware, such as recent “graphical processing units”, GPUs. Furthermore, Catena ha...
متن کاملThe Catena Password-Scrambling Framework
Standards and Technologies (NIST), during his sabbatical. " Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. " • adjusted the tweak description corresponding to the reference implementation (m and |s| are now given by byte-sized values and describe the output length and the salt length in bytes, respectively) • updated performance values f...
متن کاملCryptanalytic Time-Memory Tradeoff for Password Hashing Schemes
A cryptanalytic technique known as time-memory tradeoff (TMTO) was proposed by Hellman for finding the secret key of a block cipher. This technique allows sharing the effort of key search between the two extremes of exhaustively enumerating all keys versus listing all possible ciphertext mappings produced by a given plaintext (i.e. table lookups). The TMTO technique has also been used as an eff...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2014