logo

Demystifying Key Stretching and PAKEs

Conference:  Black Hat USA 2022

2022-08-10

Summary

Minimum password hashing settings for cybersecurity and DevOps experts
  • Algorithms for password hashing can be computationally hard and memory hard
  • Parallel processing and SIMD instructions can be used to speed up hashing
  • Memory bandwidth and number of transactions are important factors in password hashing
  • Minimum settings for popular algorithms like PBKDF2, Bcrypt, and Argon2 are provided based on memory bandwidth and iterations
  • Industry standards for high numbers of iterations depend on the hashing algorithm used
Jeremy Gosney's quote about getting less than 10,000 guesses per second per GPU is used as a benchmark for minimum password hashing settings

Abstract

Key stretching can make the difference between recovering a secret nearly instant to nearly impossible, but it has had a fun history with bugs, footguns, and "features". This talk will answer many common questions and myths on key stretching and PAKEs. What to avoid, what to use, minimum safe settings for key stretching, side-channel attacks, and when key stretching is necessary with PAKEs. PAKEs can prevent all sorts of attacks and should be used on encrypted cloud services. Most encrypted cloud services that use a password can greatly benefit from PAKEs. By the end, you'll learn enough to be able to make toy key stretching algorithms and toy PAKEs. Just don't push those toys to prod.

Materials:

Tags: