Paul,

You are right on. bcrypt and the like are reasonable choices for low traffic websites, but can be abusive hits on CPU/L1/L2 caches and are problematic at scale. For bcrypt with work factor 10, it takes about 10 concurrent runs of bcrypt to pin a high performance CPU.

You have a few choices here.

1. Throw a lot of hardware at it. Lots. I've seen a few folks do this. It works but it's expensive.

2. Reduce the work factor and speed up the algorithm. Bad choice. It defeats the purpose of adaptive algorithms.

3. Use an HMAC, proper key storage and rotation, and cryptographic isolation of the HMAC process in a separate service or the like, so your main app server has no access to the HMAC private key.

Several folks critique these assertions. These ideas are backed by John Stevens extensive, nay, I dare say obsessive threat model on password storage. http://goo.gl/Spvzs

Until someone shows me something similar, I'm going with John's very detailed and well thought out advice.

Aloha,

Jim Manico
@Manicode
(808) 652-3805

Hi,

On 31/01/2014, at 13:15, Paul Johnston paul.johnston@pentest.co.uk wrote:

I personally prefer the HMAC(secret, salt + password) approach. If an attacker finds a SQLi and gets the DB, he/she first needs to crack the secret (not really feasible today if you have a strong secret). If the site has a LFI then the strength of this approach kind of sucks, but it is the same as a normal hash+salt.

If you have throttling well implemented, taking into account different dimensions, then it looks a lot easier to DoS a site based on slow hash functions.

The difference is that JS password hashing doesn't add any security per si, what makes the difference is SSL. :)

Jim,

Stalwart AppSec educator—thanks for the nod. Paul,

Your problem characterization is thoughtful, considering different forms of attack and the various surfaces upon which they can occur. You’ve even re-considered the (informal) threat model applying your proposed control alternatives. Well-played. Since you’ve taken the problem one or two steps past where most have, it’s worth following up beyond what I’ve posted publicly.

[Adaptive One-way Functions]
I would not oppose an approach predicated solely on an adaptive one-way function. Research load characteristics and tune for effective results.

You could throw iron at the problem (*1) using the standard adaptive one-way function formulations. Distributing the work from server to client is a natural response, yes, but not one I’ve seen in practice very often. You’re correct that doing so ‘inherits’ another problem: continued support for a user-specific salt (*2). You rightly indicate that it also inherits the problem of obscured credential replay by MitM.

In essence, this design leads down a slippery slope to a home-rolled challenges/response (C/R) protocol—something to be avoided. We see Existing C/R schemes, such as OAuth, protect plaintext credentials against MitM theft. Bearer tokens (application/end-point ‘passwords') used by these schemes can help designers limit the amount of CPU-intensive server-based credential verification. When designing systems, prefer these to home-rolled schemes; their limitations are well-understood (*3).

As a user, you’re probably familiar with organizations (like social media sites) that rely on PBKDF2 or bcrypt with high work factors to protect databased credentials but also use tokens to reduce the amount of bcrypt-driven password verification that occurs. If you’ve already forsaken OAuth, explore other fancy C/R protocols with Javascript support like SRP (*4).

[Keyed Macs]

I would suggest this approach and advise carefully solving knock-on problems.

As stated, I’m a fan of this approach, principally because it is both simple and because it forces the attacker into asymmetric (disadvantaged) warfare with the defender (*5). That is, the defender is subject to only nominal password verification effort whereas the attacker must pay to brute force (or steal) the secret key prior to enjoying the same ease of verification.

As Jim hedged, one inherits the ‘key protection’ problem with this scheme. Detractors rightly indicate organizations can easily screw key protection up. Within my own experience, it’s been easy to design solutions because the organizations with which I work enjoy benefits like a) separate of duties involved in generating, handling, and using key material, b) reasonable application server configuration, and c) broadly deployed HSM support. Though, even without fancy hardware, organizations often have existing regimes for production secret protection.

[Paul’s Proposed Design]
Paul, the approach you proposed (*6), as I understand it, may be represented as follows:

(0)  Client C: uname —> Server S
(1)  S: SHA2(server_salt + uname) —> C
(2)  C: bcrypt(salt, pw) —> S
(3)  S: verify(SHA2(<bcrypt result>))

My “brief” analysis of this approach places it (surprisingly?) in an equivalence class with bcrypt itself, once known to an attacker. For those interested in why, contact me offline.

This scheme does provide some additional protections to credentials in flight (during step (2)). if designers desire this effect, I’d recommend revisiting the C/R section and selecting from that family of approach.

-jOHN

John Steven
iCTO, Cigital
+1,703-727-4034  |  @M1splacedsoul
https://google.com/+JohnStevenCigital

• (1) - http://www.youtube.com/watch?v=8mbkWMEMB9s

• (2) - Some ascribe anti-reversing properties to salts beyond obscuring duplicate plaintext and raising space/time difficulty on targeted individual attack. This results in complaint about salts made public.

• (3) - http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

• (4) - https://github.com/symeapp/srp-client

• (5) - http://goo.gl/Spvzs

• (6) - Quoted from Paul’s mail:

• ():

...John Steven’s...

Jim,

Stalwart AppSec educator—thanks for the nod. Paul,

Your problem characterization is thoughtful, considering different forms of attack and the various surfaces upon which they can occur. You’ve even re-considered the (informal) threat model applying your proposed control alternatives. Well-played. Since you’ve taken the problem one or two steps past where most have, it’s worth following up beyond what I’ve posted publicly.

[Adaptive One-way Functions]
I would not oppose an approach predicated solely on an adaptive one-way function. Research load characteristics and tune for effective results.

You could throw iron at the problem (*1) using the standard adaptive one-way function formulations. Distributing the work from server to client is a natural response, yes, but not one I’ve seen in practice very often. You’re correct that doing so ‘inherits’ another problem: continued support for a user-specific salt (*2). You rightly indicate that it also inherits the problem of obscured credential replay by MitM.

In essence, this design leads down a slippery slope to a home-rolled challenges/response (C/R) protocol—something to be avoided. We see Existing C/R schemes, such as OAuth, protect plaintext credentials against MitM theft. Bearer tokens (application/end-point ‘passwords') used by these schemes can help designers limit the amount of CPU-intensive server-based credential verification. When designing systems, prefer these to home-rolled schemes; their limitations are well-understood (*3).

As a user, you’re probably familiar with organizations (like social media sites) that rely on PBKDF2 or bcrypt with high work factors to protect databased credentials but also use tokens to reduce the amount of bcrypt-driven password verification that occurs. If you’ve already forsaken OAuth, explore other fancy C/R protocols with Javascript support like SRP (*4).

[Keyed Macs]

I would suggest this approach and advise carefully solving knock-on problems.

As stated, I’m a fan of this approach, principally because it is both simple and because it forces the attacker into asymmetric (disadvantaged) warfare with the defender (*5). That is, the defender is subject to only nominal password verification effort whereas the attacker must pay to brute force (or steal) the secret key prior to enjoying the same ease of verification.

As Jim hedged, one inherits the ‘key protection’ problem with this scheme. Detractors rightly indicate organizations can easily screw key protection up. Within my own experience, it’s been easy to design solutions because the organizations with which I work enjoy benefits like a) separate of duties involved in generating, handling, and using key material, b) reasonable application server configuration, and c) broadly deployed HSM support. Though, even without fancy hardware, organizations often have existing regimes for production secret protection.

[Paul’s Proposed Design]
Paul, the approach you proposed (*6), as I understand it, may be represented as follows:

(0)  Client C: uname —> Server S
(1)  S: SHA2(server_salt + uname) —> C
(2)  C: bcrypt(salt, pw) —> S
(3)  S: verify(SHA2(<bcrypt result>))

My “brief” analysis of this approach places it (surprisingly?) in an equivalence class with bcrypt itself, once known to an attacker. For those interested in why, contact me offline.

This scheme does provide some additional protections to credentials in flight (during step (2)). if designers desire this effect, I’d recommend revisiting the C/R section and selecting from that family of approach.

-jOHN

John Steven
iCTO, Cigital
+1,703-727-4034  |  @M1splacedsoul
https://google.com/+JohnStevenCigital

• (1) - http://www.youtube.com/watch?v=8mbkWMEMB9s

• (2) - Some ascribe anti-reversing properties to salts beyond obscuring duplicate plaintext and raising space/time difficulty on targeted individual attack. This results in complaint about salts made public.

• (3) - http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

• (4) - https://github.com/symeapp/srp-client

• (5) - http://goo.gl/Spvzs

• (6) - Quoted from Paul’s mail:

• ():

...John Steven’s...