Abstract
Password Hashing, a technique commonly implemented by a server to protect passwords of clients, by performing a one-way transformation on the password, turning it into another string called the hashed password. In this paper, we introduce a secure password hashing framework Rig which is based on secure cryptographic hash functions. It provides the flexibility to choose different functions for different phases of the construction. The design of the scheme is very simple to implement in software and is flexible as the memory parameter is independent of time parameter (no actual time and memory trade-off) and is strictly sequential (difficult to parallelize) with comparatively huge memory consumption that provides strong resistance against attackers using multiple processing units. It supports client-independent updates, i.e., the server can increase the security parameters by updating the existing password hashes without knowing the password. Rig can also support the server relief protocol where the client bears the maximum effort to compute the password hash, while there is minimal effort at the server side. We analyze Rig and show that our proposal provides an exponential time complexity against the low-memory attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Password Hashing Competition (PHC) (2014). https://password-hashing.net/index.html
Almeida, L.C., Andrade, E.R., Barreto, P.S.L.M., SimplÃcio, Jr., M.A.: Lyra: Password-Based Key Derivation with Tunable Memory and Processing Costs. IACR Cryptology ePrint Archive 2014:30 (2014)
Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013)
Carvalho, C.: The gap between processor and memory speeds. In: Proceedings of IEEE International Conference on Control and Automation (2002)
Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005)
Dürmuth, M., Güneysu, T., Kasper, M., Paar, C., Yalcin, T., Zimmermann, R.: Evaluation of standardized password-based key derivation against parallel processing platforms. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 716–733. Springer, Heidelberg (2012)
Forler, C., Lucks, S., Wenzel, J.: The Catena Password Scrambler, Submission to Password Hashing Competition (PHC) (2014)
Gray, J., Shenoy, P.: Rules of Thumb in Data Engineering. Technical Report, MS-TR-99-100, Microsoft Research, Advanced Technology Division. December 1999, Revised March 2000
Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Proceedings of the 11h Annual ACM Symposium on Theory of Computing, April 30 – May 2, 1979, Atlanta, Georgia, USA, pp. 262–277 (1979)
Burr, W., Turan, M.S., Barker, E., Chen, L.: NIST: Special Publication 800–132, Recommendation for Password-Based Key Derivation. Computer Security Division Information Technology Laboratory. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCon (2009). http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf
Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91. USENIX (1999)
Schaller, R.R.: Moore’s law: past, present, and future. IEEE Spectrum, June 1997
Acknowledgments
We would like to thank the anonymous reviewers of Inscrypt and the contributors to the PHC mailing list (specially Bill Cox) whose comments helped improve the paper significantly.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Chang, D., Jati, A., Mishra, S., Sanadhya, S.K. (2015). Rig: A Simple, Secure and Flexible Design for Password Hashing. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)