Scrypt, Bcrypt or anything else

Asked

Viewed 949 times

9

I’m choosing a hash algorithm for passwords from a system I develop. At the beginning of my "programmatic" I used the MD5, the SHA-1 and its derivantes. After a while I preferred the Whirlpool and now I’m looking for something more robust.

I’m in doubt between the Scrypt and the others... About the Scrypt I didn’t like your leaving:

$s0$e0801$epIxT/h6HbbwHaehFnh/bw==$7H0...

because I found the split by dollar very evident to an attacker (at least it was the impression I had).

Today what would be the best way forward? Scrypt, Bcrypt or PBKDF2 or some other way?

After knowing the project Jasypt I preferred to return to the good old Whirlpool, I still intend to study the algorithms mentioned above, but for now I’m betting on Whirlpool.

java cryptography bcrypt

  • Jasypt seems to do a good job protecting passwords. Just remember to use a different salt for each user, and an appropriate number of iterations. That article suggests 1000 iterations, but it’s probably outdated... Try 10,000, or even 100,000, and see if it’s tolerable (since I don’t know much about Whirlpool, I won’t suggest an exact number). This should provide comparable security to PBKDF2.

3 answers

4

About the dollar sign being obvious to an attacker: it doesn’t really mean anything. The security of your system lies in the difficulty of making the attack, not the difficulty of finding out which algorithm was used. For starters, any algorithm that has a faster attack than brute force is broken and should not be used.

Among the algorithms that do not have easy attack, ie, are only broken by brute force, security increases when more expensive (in time and money) is to make this brute force. And that’s where more time-consuming hash algorithms take advantage over fast hashes: an MD5 was created to be calculated quickly, and being "calculated quickly" is bad for security.

Of the 3 algorithms you mentioned, we can analyze:

  • PBKDF2 : the number of iterations is configurable, that is, you can make it take longer to be processed. But since it requires few circuits for its processing and little RAM, it is possible to use video cards (Gpus) or programmable / optimized circuits (such as Asics). This way it is possible to make a low cost attack.

  • Bcrypt : as it makes more intense use of RAM, the cost / difficulty of making a specific hardware to attack it is higher. In this way, it is dryer than PBKDF2. And it’s been in use for some time, which means its safety has been tested and hasn’t been broken. However, the amount of RAM that it uses is not yet gigantic, and therefore the cost of building hardware to break it is higher than that of PBKDF2, but it is not as big as that of Scrypt.

  • Scrypt : Scrypt requires a large amount of memory for its calculation (nothing that an ordinary PC or server cannot provide, but large enough to disrupt the use of Gpus or dedicated hardware). As it is a newer algorithm, it did not spend the same time as Bcrypt being tested in real life, and so may have some flaw not yet discovered.

A rule to see which is best suited for your application: what would be the interest of someone investing money to break the security of your application? If it’s something that valuable (for example, bank security or Bitcoins), use the solution that is more expensive for the attacker (Scrypt). If you only need reasonable security, PBKDF2 or Bcrypt will be more than enough.

3

In a hash algorithm, only what is being hashed is secret. Everything else is public (salt, work factor, other parameters). These algorithms are designed to maintain pre-image resistance (i.e. from the hash if the password is discovered) even if everything else about it is known. Therefore, the fact that an attacker sees the dollar sign in the code is not relevant (even because by the time he got his hands on your bank he must already know everything about your system).

In addition, other hash algorithms (even "broken" ones like MD5) will also need at least one salt (to avoid Rainbow Tables), And that salt has to be stored somewhere, right? What difference does it make if it’s in the hash itself (separated by dollar sign) or another column in the same table (which the attacker already has)?

On which is the best algorithm of the three, see the other answers for a comparative. Personally, I believe that PBKDF2 with a high number of iterations should be sufficient to protect a password (but in reality the three are good enough). And if your system has high security requirements (such as those of a bank, or nearby) then consider using other means than the password to protect your customers' accounts (two-factor authentication, for example).

Updating: Let’s say, to make life more difficult for an attacker, you solve: 1) take the dollar out; 2) change the order of the elements. That way, you’re turning:

$s0$e0801$epIxT/h6HbbwHaehFnh/bw==$7H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=

in

e0801s07H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=epIxT/h6HbbwHaehFnh/bw==

What the attacker will do?

  1. Create an account on your site. So he will know 1 password (his own) and the corresponding hash;

  2. Read how scrypt works, discovering that he has:

    1. A version number. How many s0 have in your string? Only 1:

      e0801  s0  7H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=epIxT/h6HbbwHaehFnh/bw==

    2. The parameters of the algorithm. Well, in this case it’s obvious that it’s the first group;

    3. A salt and a key. Well, in this case it was easy because the coding Base64 ended with = and ==, then it’s easy to find the pieces.

      e0801  s0  7H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=  epIxT/h6HbbwHaehFnh/bw==

  3. What is the salt and what is the key? Well, he knows his own password and her hash, so just do 2 tests:

    $s0$e0801$epIxT/h6HbbwHaehFnh/bw==$7H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=

$s0$e0801$7H0vsXlY8UxxyW/BWx/9GuY7jEvGjT71GFd6O4SZND0=$epIxT/h6HbbwHaehFnh/bw==

    Whatever works, it’s the format you’re using!

Although you use base 16 to make it harder to find the boundaries between the parts, the work to test all possibilities (within the same hash representation) is minimal compared to the work of trying to break the hash. If the attacker has enough money to make a hash attack, he can make that little test in a matter of minutes. You only complicated your implementation in exchange for a few minutes of the attacker’s time. It was worth it?

  • I believe that salt, iterations and other parameters should be as secret as the content to be calculated (hash), as it greatly facilitates the work of breaking, of course, does not decrease the cost of brute force. About salt, the difference it makes is to know that the final or initial 16bytes or whatever is salt and that for an attacker this is not explicit and separate so that it can have 50% of the way forward. If they took the $ I would be satisfied

  • In fact, the ideal is for the attacker to not even gain access to his hashes (i.e. protect himself from SQL Injection). But if you win, you do as much as you are represented. As for trying to hide the salt, this is security by obscurantism, which is not bad as addendum to a security system, but cannot serve as a basis for security. I will update my response with an example.

  • My question now is why would he just kick Scrypt? I agree that access to the base is more important, but I don’t see everything in one place.

  • That was just an example. What I mean is that the effort to discover the algorithm (and its implementation) is tiny in relation to the effort to crack it.

2


It depends on your goal. There are a number of things to evaluate:

  • Time for password breaking using brute force;
  • Number of iterations to generate an encrypted string;
  • Number of characters in your password. For example, Bcrypt does not work with more than 55 characters.

The recommended is the PBKDF2, since you didn’t like the way out of Scrypt. It has no character limit. It is easier to break than the other two, but has a better performance. Below is a comparative table with the cost in attempts to break the password of each algorithm:

Custo estimado em hardware para quebrar uma senha em 1 ano.

  • 1

    "The recommended is PBKDF2, since you did not like the output of Scrypt" -- I would accept the argument, if the OP had a good reason not to like scrypt, or if there was a link to a reliable source recommending PBKDF2 instead of scrypt. As the other answers put it, the simple fact of knowing how a hash is formatted is no reason to imagine that the algorithm is weak or "not recommended".

  • 1

    A second comment: "It is easier to break than the other two, but it performs better." -- As regards passwords, how much "worse" the performance, better.

Browser other questions tagged java cryptography bcrypt

You are not signed in. Login or sign up in order to post.