Key strengthening

Key strengthening

In cryptography, key strengthening or key stretching refer to techniques used to make a possibly-weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key strengthening makes such attacks more difficult.

Key strengthening techniques generally work as follows: The initial key is fed through an algorithm that takes a known constant time to apply. The algorithm is constructed so that the delay introduced is acceptable to most users, say one second on a typical personal computer. The output is the "enhanced key". The enhanced key should be of sufficient size to make it unfeasible to break by brute force (e.g. at least 128 bits). The overall algorithm used should be secure in the sense that there should be no known way of taking a shortcut that would make it possible to calculate the enhanced key in less time (less processor work) than by using the key stretching algorithm itself. The key strengthening process leaves the attacker with two options: Either to try every possible combination of the enhanced key, infeasible if the enhanced key is long enough, or try likely combinations of the initial key, which normally would be much easier. If the initial key is a password or a passphrase then the normal way to brute force it would be to first try every word in the dictionary or common password list and then try all character combinations for longer and longer passwords. This often yields the correct result in a reasonable amount of time. Key strengthening does not prevent this approach, but the attacker has to spend much more time on each try.

If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack.

There are several ways to perform key strengthening. For instance to apply a cryptographic hash function or a block cipher in a loop (see pseudo code below). Or in some cases if the key is used for a cipher to modify the key schedule (key set-up) in the cipher so it takes one second.

A related technique, salting, protects against time-memory tradeoff attacks and is often used in conjunction with key strengthening.

Hash based key strengthening

Simple key strengthening method:

key = hash( password ) for 1 to 65000 do key = hash( key )

Even better method with a salt. ("+" here means concatenation):

key = hash( password + salt ) for 1 to 65000 do key = hash( key )

Or even:

key = hash( password + salt ) for 1 to 65000 do key = hash( key + salt )

Strength and time

For these examples let us assume that that the slowest personal computers still in use today (2008) can do about 65000 SHA-1 hashes in one second if using compiled code. Thus a program that uses key strengthening can use 65000 hash rounds and then it will take max one second for the slowest users to use their password or key.

Testing a trial password or passphrase typically requires one hash operation. But with key strengthening the attacker first has to make the stronger key to test, which with 65000 rounds in the hash loop means that each test takes 65001 operations. That is 65000 times more work, i.e. about 216 operations, which means the enhanced key is "worth" about 16 bits more in key strength.

Note that when strengthening a weak key, the intermediate key used in the hash loop and the final stronger key must be big enough to hold the additional strength.

So far computer speed has doubled about once per 1.5 years. (See Moore's law.) This means that each 1.5 years one more bit of key strength is possible to crack. This means that the 16 extra bits of strength is worth about 16×1.5 = 24 years later cracking. But it also means that the number of key strengthening rounds a system uses should and can be doubled about once every 1.5 years. Still it will only cost about 1 second to do the key strengthening on the computers available then. Thus key strengthening can make the same size weak keys just as hard to crack also in the future.

For passwords and passphrases, the situation is unfortunately not as good, since they are usually worth much less than 56 bits of strength. But since 16 bits means 24 years it makes a key strengthened password today (2008) about as hard to crack as a non-strengthened password was in 1984. And since the systems can increase the number of key strengthening rounds as computers get faster it will keep the stronger keys as strong as non-strengthened passwords were in 1984 even in the future.

History

The first deliberately-slow password-based key derivation function was called "CRYPT" and was invented by Robert Morris during the 1980s for encrypting Unix passwords. It used an iteration count of 25, a 12-bit salt and a variant of DES as the sub-function. (DES proper was avoided in an attempt to frustrate attacks using standard DES hardware.) It also limited passwords to a maximum of eight ASCII characters. While it seemed a great advance at the time, CRYPT(3) is now considered inadequate. The iteration count, designed for the PDP-11 era, is too low, 12 bits of salt inconvenience but do not stop precomputed dictionary attacks, and the 8 character limit prevents the use of stronger passphrases.

Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), use a cryptographic hash, such as MD5 or SHA1, more salt (e.g. 64 bits) and a high iteration count (often 1000 or more). There have been proposals to use algorithms that require large amounts of computer memory and other computing resources to make custom hardware attacks more difficult to mount.

Some systems that use key strengthening

*PGP, GPG encryption software.
*Wi-Fi Protected Access (WPA and WPA2) wireless encryption protocol in personal mode.
*Some but not all disk encryption software: (See comparison of disk encryption software)

* PBKDF2 - a widely used key strengthening algorithm
* Key derivation function - Often uses key strengthening.
* Hashcash - A somewhat related method.

References

* [http://www.schneier.com/paper-low-entropy.html Secure Applications of Low-Entropy Keys] by J. Kelsey, B. Schneier, C. Hall, and D. Wagner (1997)
* [http://www2007.org/poster855.php A Password Stretching Method with User Specific Salts] by ChangHee Lee and Heejo Lee (2007)
* RFC 2898

* [http://www.php-einfach.de/improved_hash_algorithm_en.php PHP implementation to get a strong hash from a weak password]

Wikimedia Foundation. 2010.

Look at other dictionaries:

• Strengthening mechanisms of materials — Methods have been devised to modify the yield strength, ductility, and toughness of both crystalline and amorphous materials. These strengthening mechanisms give engineers the ability to tailor the mechanical properties of materials to suit a… …   Wikipedia

• Solid solution strengthening — is a type of alloying that can be used to improve the strength of a pure metal. The technique works by adding atoms of one element (the alloying element) to the crystalline lattice another element (the base metal). The alloying element diffuses… …   Wikipedia

• Office for Strengthening Unity — The Office for Strengthening Unity (also Office for Consolidating Unity, Persian: دفتر تحکیم وحدت, Daftar e Tahkim e Vahdat), is an Iranian student organization created in 1979, and has been described as the country s most well known student… …   Wikipedia

• Comparison of disk encryption software — This is a technical feature comparison of different disk encryption software. Contents 1 Background information 2 Operating systems 3 Features 4 Layering …   Wikipedia

• Topics in cryptography — This article is intended to be an analytic glossary , or alternatively, an organized collection of annotated pointers.Classical ciphers*Autokey cipher *Permutation cipher*Polyalphabetic substitution **Vigenère cipher*Polygraphic substitution… …   Wikipedia

• Outline of cryptography — See also: Index of cryptography articles The following outline is provided as an overview of and topical guide to cryptography: Cryptography (or cryptology) – practice and study of hiding information. Modern cryptography intersects the… …   Wikipedia

• Blowfish (cipher) — Infobox block cipher name = Blowfish caption = The round function (Feistel function) of Blowfish designers = Bruce Schneier publish date = 1993 derived from = derived to = Twofish key size = 32 448 bits in steps of 8 bits; default 128 bits block… …   Wikipedia

• Shared secret — In cryptography, a shared secret is a piece of data only known to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes.The shared secret is either… …   Wikipedia

• Dm-crypt — is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel s Crypto API. Unlike its predecessor cryptoloop, dm crypt was… …   Wikipedia

• chromaticism — /kroh mat euh siz euhm, kreuh /, n. Music. 1. the use of chromatic tones. 2. a style in which chromatic tones predominate. [1875 80; CHROMATIC + ISM] * * * In music, the use of all 12 tones, especially for heightened expressivity. A standard key… …   Universalium