Key stretching
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker.
There are several ways to perform key stretching. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. For example, in applications where the key is used for a cipher, the key schedule in the cipher may be modified so that it takes a specific length of time to perform. Another way is to use cryptographic hash functions that have large memory requirements – these can be effective in frustrating attacks by memory-bound adversaries.
Process
Key stretching algorithms depend on an algorithm which receives an input key and then expends considerable effort to generate a stretched cipher mimicking randomness and longer key length. The algorithm must have no known shortcut so the most efficient way to relate the input and cipher is to repeat the key stretching algorithm itself. This compels brute-force attackers to expend the same effort for each attempt. If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as stretched by that same length.Key stretching leaves an attacker with two options:
- Attempt possible combinations of the enhanced key, but this is infeasible if the enhanced key is sufficiently long and unpredictable
- Attempt possible combinations of the weaker initial key, potentially commencing with a dictionary attack if the initial key is a password or passphrase, but the attacker's added effort for each trial could render the attack uneconomic should the costlier computation and memory consumption outweigh the expected profit
This process does not alter the original key-space entropy. The key stretching algorithm is deterministic, allowing a weak input to always generate the same enhanced key, but therefore limiting the enhanced key to no more possible combinations than the input key space. Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel. For this reason, key stretching is often combined with salting.
Hash-based
Many libraries provide functions which perform key stretching as part of their function; see crypt for an example. PBKDF2 is for generating an encryption key from a password, and not necessarily for password authentication. PBKDF2 can be used for both if the number of output bits is less than or equal to the internal hashing algorithm used in PBKDF2, which is usually SHA-2, or used as an encryption key to encrypt static data.Strength and time
These examples assume that a personal computer can do about 65,000 SHA-1 hashes in one second. Thus a program that uses key stretching can use 65,000 rounds of hashes and delay the user for at most one second. Note that a USD$700 GPU from July 2019 can do more than 10 billion SHA-1 hashes in one second.Testing a trial password or passphrase typically requires one hash operation. But if key stretching was used, the attacker must compute a strengthened key for each key they test, meaning there are 65,000 hashes to compute per test. This increases the attacker's workload by a factor of 65,000, approximately 216, which means the enhanced key is worth about 16 additional bits in key strength.
Moore's law asserts that computer speed doubles roughly every 1.5 years. Under this assumption, every 1.5 years one more bit of key strength is plausibly brute-forcible. This implies that 16 extra bits of strength is worth about 16×1.5 = 24 years later cracking, but it also means that the number of key stretching rounds a system uses should be doubled about every 1.5 years to maintain the same level of security.
CPU-bound hash functions are still vulnerable to hardware implementations. Such implementations of SHA-1 exist using as few as 5,000 gates, and 400 clock cycles. With multi-million gate FPGAs costing less than $100, an attacker can build a fully unrolled hardware cracker for about $5,000. Such a design, clocked at 100 MHz can test about 300,000 keys/second. The attacker is free to choose a good price/speed compromise, for example a 150,000 keys/second design for $2,500. The key stretching still slows down the attacker in such a situation; a $5,000 design attacking a straight SHA-1 hash would be able to try 300,000÷216 ≈ 4.578 keys/second.
To defend against the hardware approach, memory-bound cryptographic functions have been developed. These access large amounts of memory in an unpredictable fashion such that caches are ineffective. Since large amounts of low latency memory are expensive, a would-be attacker is significantly deterred.
History
The first deliberately slow password-based key derivation function "CRYPT" was described in 1978 by Robert Morris for encrypting Unix passwords. It used an iteration count of 25, a 12-bit salt and a variant of DES as the sub-function. Passwords were limited to a maximum of eight ASCII characters. While it was a great advancement for its time, CRYPT is now considered inadequate. The iteration count, designed for the PDP-11 era, is too low, 12 bits of salt is an inconvenience but does not stop precomputed dictionary attacks, and the 8 character limit prevents the use of stronger passphrases.Modern password-based key derivation functions, such as PBKDF2, use a cryptographic hash, such as SHA-2, a longer salt and a high iteration count.
In 2009, a memory-intensive key strengthening algorithm, scrypt, was introduced with the intention of limiting the use of custom, highly parallel hardware to speed up key testing.
In 2013, a Password Hashing Competition was held to select an improved key stretching standard that would resist attacks from graphics processors and special purpose hardware. The winner, Argon2, was selected on July 1, 2015.
Some systems that use key stretching
- Some but not all disk encryption software:
- Apache.htpasswd "APR1" and OpenSSL "passwd" use 1000 rounds of MD5 key stretching.
- KeePass and KeePassX, open-source password manager utilities.
- Password Safe open-source password manager.
- PGP, GPG encryption software.
- Wi-Fi Protected Access wireless encryption protocol in personal mode.