Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys

We revisit the venerable question of "pure password"- based key derivation and encryption, and expose security weaknesses in current implementations that stem from structural flaws in Key Derivation Functions (KDF). We advocate a fresh redesign, named Halting KDF (HKDF), which we thoroughly motivate on these grounds: 1. By letting password owners choose the hash iteration count, we gain operational flexibility and eliminate the rapid obsolescence faced by many existing schemes. 2. By throwing a Halting-Problem wrench in the works of guessing that iteration count, we widen the security gap with any attacker to its theoretical optimum. 3. By parallelizing the key derivation, we let legitimate users exploit all the computational power they can muster, which in turn further raises the bar for attackers. HKDFs are practical and universal: they work with any password, any hardware, and a minor change to the user interface. As a demonstration, we offer real-world implementations for the TrueCrypt and GnuPG packages, and discuss their security benefits in concrete terms.

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[4]  Ming-Yang Kao,et al.  Searching in an unknown environment: an optimal randomized algorithm for the cow-path problem , 1996, SODA '93.

[5]  PKCS # 5 : Password-Based Encryption Standard , 1993 .

[6]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[7]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[8]  Perline Zipf's law, the central limit theorem, and the random division of the unit interval. , 1996, Physical review. E, Statistical physics, plasmas, fluids, and related interdisciplinary topics.

[9]  Moni Naor,et al.  Visual Authentication and Identification , 1997, CRYPTO.

[10]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[11]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[12]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[13]  D. Sornette,et al.  Stretched exponential distributions in nature and economy: “fat tails” with characteristic scales , 1998, cond-mat/9801293.

[14]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[15]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[16]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[17]  Wenbo Mao Send Message into a Definite Future , 1999, ICICS.

[18]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[19]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[20]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[21]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[22]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[23]  W. Reed The Pareto, Zipf and other power laws , 2001 .

[24]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[25]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[26]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[27]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[28]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[29]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[30]  Daniel R. L. Brown,et al.  Prompted User Retrieval of Secret Entropy: The Passmaze Protocol , 2005, IACR Cryptol. ePrint Arch..

[31]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[32]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[33]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[34]  Eli Biham,et al.  Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs , 2006, CRYPTO.

[35]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[36]  Ran Canetti,et al.  Mitigating Dictionary Attacks on Password-Protected Local Storage , 2006, CRYPTO.