Abstract
Most of the common password scramblers hinder password-guessing attacks by “key stretching”, e.g., by iterating a cryptographic hash function many times. With the increasing availability of cheap and massively parallel off-the-shelf hardware, iterating a hash function becomes less and less useful. To defend against attacks based on such hardware, one can exploit their limitations regarding to the amount of fast memory for each single core. The first password scrambler taking this into account was scrypt. In this paper we mount a cache-timing attack on scrypt by exploiting its password-dependent memory-access pattern. Furthermore, we show that it is possible to apply an efficient password filter for scrypt based on a malicious garbage collector. As a remedy, we present a novel password scrambler called Catena which provides both a password-independent memory-access pattern and resistance against garbage-collector attacks. Furthermore, Catena instantiated with the here introduced (G,λ)-DBH operation satisfies a certain time-memory tradeoff called λ-memory-hardness, i.e., using only 1/b the amount of memory, the time necessary to compute the password hash is increased by a factor of b λ. Finally, we introduce a more efficient instantiation of Catena based on a bit-reversal graph.
Chapter PDF
Similar content being viewed by others
References
Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013)
Barsuhn, A.: Cache-Timing Attack on scrypt. Bauhaus-Universität Weimar, Bachelor Dissertation (December 2013)
Bellovin, S.M., Merrit, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland (1992)
Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of Catena. PHC mailing list: discussions@password-hashing.net
Bradley, W.F.: Superconcentration on a Pair of Butterflies. CoRR abs/1401.7263 (2014)
Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19, 297–301 (1965)
Drepper, U.: Unix crypt using SHA-256 and SHA-512, http://www.akkadia.org/drepper/SHA-crypt.txt (accessed May 16, 2013)
Dziembowski, S., Kazana, T., Wichs, D.: Key-evolution schemes resilient to space-bounded leakage. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 335–353. Springer, Heidelberg (2011)
Kaliski, B.: RFC 2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0. Technical report, IETF (2000)
Kamp, P.-H.: The history of md5crypt, http://phk.freebsd.dk/sagas/md5crypt.html (accessed May 16, 2013)
Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM 29(4), 1087–1130 (1982)
Nvidia. Nvidia GeForce GTX 680 - Technology Overview (2012)
Paterson, M.S., Hewitt, C.E.: Comparative schematology. In: Dennis, J.B. (ed.) Record of the Project MAC conference on concurrent systems and parallel computation, Chapter Computation schemata, pp. 119–127. ACM, New York (1970)
Percival, C.: Cache Missing for Fun and Profit. BDSCan (2004)
Percival, C.: Stronger Key Derivation via Sequential Memory-Hard Functions. Presented at BSDCan (May 2009)
Savage, J., Swamy, S.: Space-time trade-offs on the FFT algorithm. IEEE Transactions on Information Theory 24(5), 563–568 (1978)
Savage, J.E., Swamy, S.: Space-Time Tradeoffs for Oblivious Interger Multiplications. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 498–504. Springer, Heidelberg (1979)
Sethi, R.: Complete Register Allocation Problems. SIAM J. Comput. 4(3), 226–248 (1975)
Swamy, S., Savage, J.E.: Space-Time Tradeoffs for Linear Recursion. In: POPL, pp. 135–142 (1979)
Tompa, M.: Time-Space Tradeoffs for Computing Functions, Using Connectivity Properties of their Circuits. In: STOC, pp. 196–204 (1978)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 International Association for Cryptologic Research
About this paper
Cite this paper
Forler, C., Lucks, S., Wenzel, J. (2014). Memory-Demanding Password Scrambling. In: Sarkar, P., Iwata, T. (eds) Advances in Cryptology – ASIACRYPT 2014. ASIACRYPT 2014. Lecture Notes in Computer Science, vol 8874. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45608-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-662-45608-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45607-1
Online ISBN: 978-3-662-45608-8
eBook Packages: Computer ScienceComputer Science (R0)