Design and Analysis of Password-Based Key Derivation Functions

Size: px

Start display at page:

Download "Design and Analysis of Password-Based Key Derivation Functions"

Shawn Webster
6 years ago
Views:

1 Design and Analysis of Passwod-Based Key Deivation Functions Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science City Univesity of Hong Kong Kowloon, Hong Kong csfyao@cityu.edu.hk 2 Depatment of Electical Engineeing Pinceton Univesity Pinceton, NJ yyin@pinceton.edu Abstact. A passwod-based key deivation function (KDF) a function that deives cyptogaphic keys fom a passwod is necessay in many secuity applications. Like any passwod-based schemes, such KDFs ae subject to key seach attacks (often called dictionay attacks). Salt and iteation count ae used in pactice to significantly incease the wokload of such attacks. These techniques have also been specified in widely adopted industy standads such as PKCS and IETF. Despite the impotance and wide-spead usage, thee has been no fomal secuity analysis on existing constuctions. In this pape, we popose a geneal secuity famewok fo passwod-based KDFs and intoduce two secuity definitions each captuing a diffeent attacking scenaio. We study the most commonly used constuction H (c) (p s) and pove that the iteation count c, when fixed, does have an effect of stetching the passwod p by log 2 c bits. We then analyze the two standadized KDFs in PKCS#5. We show that both ae secue if the advesay cannot influence the paametes but subject to attacks othewise. Finally, we popose a new passwod-based KDF that is povably secue even when the advesay has full contol of the paametes. 1 Intoduction 1.1 Backgound and Motivation Cyptogaphic keys ae essential in vitually all secuity application. In pactice, howeve, inputs to an application ae typically aw key mateials, such as passwods, that ae not yet in the fom to be used as keys. Theefoe, a key deivation function (KDF) a function that deives cyptogaphic keys fom keying mateials is often a necessay component in all secuity applications. Thee ae many usage scenaios fo key deivation functions depending on the fom of the input. Fo example, the input can be a use passwod, a andom seed value fom some entopy souce, o an output value fom a cyptogaphic

2 opeation such as Diffie-Hellman key ageement. The second scenaio is typically handled by a pseudoandom numbe geneato (e.g., the FIPS PRNG in [6]), and the thid scenaio is handled by hashing the long output down to the equied key length (e.g., the KDF1 in [8]). In both scenaios, thee is usually enough entopy in the key mateials. In this pape, we focus ou study on passwod-based key deivation functions. Unlike the othe two scenaios mentioned above, passwods, in paticula those chosen by a use, often ae shot o have low entopy. Theefoe, special teatment is equied in key deivation to defend against exhaustive key seach attacks. One basic appoach fo designing a passwod-based key deivation function is to deive the key fom the passwod p and a andom known value s (called salt), by applying a function H (such as hash, keyed hash, o block ciphe) fo a numbe of iteations c (called iteation count). Fo example, the following is a typical constuction 1 : key = H (c) (p s). Intuitively, the salt s seves the pupose of ceating a lage set of possible keys coesponding to a given passwod, among which one key is selected accoding to the salt used in each execution of the KDF. The iteation count c seves the pupose of inceasing the cost of deiving each key, theeby significantly inceasing the wokload of key seach attacks. These two techniques have been commonly used in pactice and also specified in widely adopted industy standads, including PKCS [13] and IETF [4]. In a moe geneal setting, we can view a passwod-based KDF as a method fo stetching any shot keys (not necessaily passwods) into longe keys. An efficient key stetching method can be useful in stengthening secuity without any achitectual o policy changes fo complex systems (e.g., a cedit-cad system). In addition, passwod-based KDF can be used in a staightfowad way to define passwod-based encyption schemes and message authentication schemes. Despite thei impotance and wide-spead usage, thee has been no fomal secuity analysis of existing passwod-based KDFs. Futhemoe, thee has been no geneal secuity famewok fo analyzing such KDFs. It is possible that the above popula KDF constuction is insecue against some sophisticated keyseach attacks even though the paametes ae chosen lage enough and the undelying hash function H is sound (e.g., it can be consideed as a andom oacle). 1.2 Ou famewok In this pape, we popose a geneal secuity famewok fo studying passwodbased key deivation functions. Ou famewok aims at captuing vaious types of key-seach attacks and allowing concete analysis of attacke s success pobability elating to its available computational esouce fo launching key-seach 1 Thoughout the pape, we use H (c) to denote that H is applied c times and use to denote the concatenation of two stings.

3 attacks. We also model salt and iteation count in a way as they ae used in pactice so that thei impact on the oveall secuity of the scheme can be quantified. Key seach attacks on passwod-based KDFs can be quite sophisticated [10], but they geneally taget at the constuction of the key deivation function F and teat the undelying function H as a black-box tansfomation. This motivates us to model the undelying pimitive H as a andom oacle [2] and hence its intenal stuctue is ignoed in the analysis. We define two levels of secuity fo the KDF depending on the capability of the advesay A: intheweak model A can only obseve the output of F while in the stong model A can quey F on inputs of its choice. In both models, A can make queies to H, and the maximum numbe of such queies captues A s available computational powe to launch key seach attacks. Roughly, the constuction of F is secue unde each model if A with the given capability cannot distinguish the output of F fo an unknown passwod p fom a andom sting. 1.3 Main esults Using the poposed famewok, we fist study the secuity of the iteative constuction. We pove that if an advesay A makes at most t queies to H, then the success pobability Adv that it can distinguish the deived key fo an unknown p fom a andom sting of the same length n satisfies t/c t/c <Adv< PW PW + t2 2 n. The uppe bound is dominated by the fist tem, since the second tem is negligible in pactical settings. The above esult implies that, fo a fixed iteation count, thee is no shot-cut in the key seach othe than computing H iteatively fo each passwod. In othe wods, the iteation count c inceases the wokload of exhaustive key seach by a facto of c. So the iteation constuction effectively stetches a k-bitkeytoa(k +log 2 c)-bit key. We then focus ou attention on pactical passwod-based KDFs and analyze the two KDFs in PKCS#5 [13] the de facto standad fo passwod-based cyptogaphy. Ou analysis on the iteative constuction implies that the two KDFs ae weakly secue as long as the computational esouce available to the attacke is much less than c PW (although it can be much lage than PW ). We also show that neithe KDF is secue in the stong model and discuss how such secuity weakness may be exploited to mount attacks in pactical scenaios. Based on the insight gained fom ou ealie analysis, we popose a new passwod-based key deivation function with enhanced secuity. The main idea in ou constuction is to include iteation count explicitly in the input to the deivation function to pevent it fom being manipulated by the attacke. We show that the new KDF is secue in the stong model.

4 1.4 Related wok Rigoous analysis of passwod-based key deivation schemes seems to have eceived elatively little attention compaed to othe types of cyptogaphic schemes. In [10], the tem key-stetching is used fo convesion of low-entopy keys into longe keys by mechanisms such as iteated hash. A connection was made between the cost of computing H (c) and the cost of finding a collision fo H. Roughly speaking, if H (c) could be computed on aveage with fewe than c/2 calls to H, then this would lead to a collision seach fo H faste than the naive bithday attack. Although it would be had to tanslate the esult into a standad concete secuity model, it is cetainly of pactical inteest. Ou esults on H (c) ae well quantified; moeove, the famewok fo KDF is igoously defined and the effects of salt and iteation ae studied in a standad distinguish-fomandom model with espect to specific quey types. In [14], the UNIX passwod hashing algoithm is analyzed. The coe of the algoithm is oughly f(p) = DES p (25) (0), that is, to encypt the value zeo 25 times using the passwod p as the key. So the algoithm has an iteative stuctue somewhat simila to the passwod-based KDFs consideed hee. It is poved that the algoithm is a secue hashing function if DES is a secue block ciphe. Howeve, as pointed out by the authos, thei analysis only implies that iteation does not ham secuity, but they ae not able to show that iteation actually enhances secuity as one would intuitively expect. Key deivation functions in a geneal sense shae some similaity in thei design, such as the use of hash functions to pocess the aw key mateials. Fo instance, the pseudoandom numbe geneato (PRNG) defined in FIPS [6] is hash-based and can deive long keys fom a andom seed. The exact constuction, howeve, is quite diffeent: in the passwod-based KDF the hash is applied iteatively while in the PRNG the hash outputs ae concatenated to poduce the key. Theefoe, secuity analysis of PRNG type of key deivation [5] does not diectly apply to passwod-based key deivation. Anothe elated subject is passwod-based authentication and key exchange potocols, and the goal of such potocols is to authenticate two paties who shae a common passwod. Existing potocols use vaious public-key techniques such as RSA o Diffie-Hellman in a w ay that the messages exchanged between the paties povide little o no help fo an attacke to guess the passwod. A suvey of well-analyzed potocols can be found in [9]. 1.5 Oganization of the pape 2 Secuity Famewok and Definitions 2.1 KDF model We denote a passwod-based key deivation function as y = F (p, s, c)

5 whee p is passwod, s is salt, c is iteation count, and y is deived key of length n. Let the set of passwods, salts, and iteation counts be PW, S, andc. Foa fixed p PW,wecanviewy = F p (s, c) as a function with input (s, c) and output y. We intechangeably wite F (p, s, c) of p (s, c) depending on the context. Fo ease of analysis, we make some assumptions on the sets PW, S, andc. We assume that PW = {0, 1} l, S = {0, 1} s,andc =[c,c ] fo some integes 0 <c <c. The uppe limit ensues that the iteation count is not too lage, since othewise the KDF becomes too slow and useless. In addition, we assume that the length of p s c is at most n, although ou analysis can be extended to the moe geneal case (see Section 4.3 fo futhe discussions). We denote the undelying pimitive that is used to constuct F as H. Fo example, H can be instantiated using pactical hash functions as building blocks. Since key seach attacks typically teats H as a black-boxtansfomation without exploiting its intenal stuctue, we model H as a andom function fom R n,the set of all functions fom {0, 1} n to {0, 1} n. That is, we focus ou analysis on how F is constucted based on H athe than the stuctue of H itself. 2.2 Attack model Conside a typical usage scenaio of a passwod-based KDF in which two uses Alice and Bob shae a passwod p. To encypt a message, Alice sets s, c and deives a key y = F (p, s, c). She then uses y to encypt and obtain the ciphetext z. Alice sends (z,s,c) in the clea to Bob. Bob deives the key y by computing y = F (p, s, c) and uses y to decypt z. Fom the attacke s point of view, the salt s and the count c ae both known. The attacke usually does not have contol of s o c, but in cetain scenaios they can be chosen. The deived key y may be hidden fom the attacke, but it can become known fo vaious easons (e.g., it was leaked out due to system secuity holes), in which case the attacke obtains a tuple (y, s, c) coesponding to some unknown passwod p. In ou attack model, we assume that s and c can be eithe known o chosen, and the deived key y is always known. An attacke A to a passwod-based KDF is a polynomial-time algoithm that may use the following two types of oacle queies: H quey: Quey the undelying function H on input x and obtain H(x). That is, A has access to oacle H(.). F quey: Fo an unknown passwod p, quey the key deivation function F on input (s, c) and obtain the deived key y = F p (s, c). That is, A has access to oacle F p (.,.) fo some unknown p. In pactice, the numbe of H queies can be quite lage, since it is detemined by the advesay s available computational esouce fo pefoming an offline key seach attack. In contast, the numbe of F queies is vey limited, since it is usually detemined by the secuity design and policy of the system, not the advesay.

6 2.3 Secuity definition We intoduce two secuity definitions weakly secue and stongly secue depending on attacke s capability. In the weak model, we assume that the attacke A can make only queies to H, while in the stong model, we assume that A can make both H and F queies. The goal of the attacke A is to distinguish the deived key y = F p (s, c) fop PW fom a andom sting of the same length 2. Definition 1. Weakly Secue KDF (Secue against known-paamete-attacks) Let y = F p (s, c) be a passwod-based KDF. Let b {0, 1}. We conside the following expeiment depending on b: Expeiment E b p 0 PW // passwod is geneated at andom H R n // H is geneated at andom s 0 S, c 0 C // salt and count ae fixed and known If b =0,theny 0 F p0 (s 0,c 0 ),elsey 0 {0, 1} n i 0 epeat i i +1 A chooses x i and is given H(x i ) until A eaches the maximum numbe of queies A outputs eithe 0 o 1 The success pobability of A is defined as Adv A (t) =P E1 [A =1] P E0 [A =1]. whee t denote the maximum numbe of queies to H. The maximum success pobability achievable by any advesay A is denoted by Adv(t). Definition 2. Stongly Secue KDF (Secue against chosen-paamete-attacks) Let y = F p (s, c) be a passwod-based KDF. Let b {0, 1}. We conside the following expeiment depending on b: 2 If W is a set, than w W denotes selecting w unifomly at andom fom W.

7 Expeiment E b p 0 PW // passwod is geneated at andom H R n // H is geneated at andom s 0 S, c 0 C // salt and count ae fixed and known If b =0,theny 0 F p0 (s 0,c 0 ),elsey 0 {0, 1} n i 0 epeat i i +1 A fist decides which type of queies If H quey, A chooses x i and is given H(x i ) If F quey, A chooses (s i,c i ) (s 0,c 0 ) and is given y i = F p0 (s i,c i ) until A eaches the maximum numbe of queies A outputs eithe 0 o 1 The success pobability of A is defined as Adv A (t, m) =P E1 [A =1] P E0 [A =1], whee t and m denote the maximum numbe of H and F queies, espectively. The maximum success pobability achievable by any advesay A in is denoted by Adv(t, m). 3 Passwod-based KDFs in pactice Passwod-based key deivation functions ae commonly used in pactice. They ae also specified in industy standads such as PKCS#5, PKCS#12, IETF, and openpgp. Hee we descibe the KDFs in PKCS#5, which is consideed as the de facto standad fo passwod-based cyptogaphy. KDFs in othe standads mostly follow simila designs. Two passwod-based KDFs ae specified in PKCS#5 v2.0 [13]: PBKDF1 and PBKDF2. Some ecommendations ae given egading the use of salt and iteation count. Fo example, S should be at least 64 bits, and c should be at least The undelying function in PBKDF1 is a hash function H() such as MD2, MD5, o SHA1. The deived key is defined as y = H (c) (p s). Most othe standads o implementations use this constuction. PBKDF2 was intended to povide moe secuity. The undelying function in PBKDF2 is a keyed hash function H k (), such as HMAC [1]. The passwod p is used as the key k in each invocation of H k (). The deived key is defined as y = U 1 U 2... U c, whee U i = H p (i) (s) foi =1,.., c. The exclusive-os adds an exta laye of potection, but at the coe of the constuction is still the iteative application of H p.

8 4 Effects of iteation count In this section, we focus ou analysis on iteation count and quantify its effect on the secuity of KDF. A KDF function with an iteative stuctue is of the fom y = H (c) (p, s) =H (c) (p s). We will show that this constuction is secue as long as the advesay only has access to H and its computational esouce is significantly less than c PW, which is fomally stated in the following theoem. Theoem 1. In the weakly secue model fo KDF, if the advesay makes at most thqueies, then the maximum success pobability Adv(t) satisfies t/c 0 PW <Adv(t) < t/c 0 PW + t2 2 n. Befoe going into the poof details, we fist ty to undestand the esult by consideing a pactical scenaio. Let PW =2 40,n= 128,c=2 16,t=2 44. Setting c =2 16 adds little ovehead at the use end fo deiving a single key 3, but the wokload of a staightfowad dictionay attack inceases to c PW =2 56 fom 2 40 (when c = 1). With t =2 44 queies to H, the attacke can cetainly t/c coectly compute a faction of PW =2 12 of the deived keys. Ou esult shows that this is indeed the best the attacke can do, since the pobability fo coectly computing moe than 2 12 of the deived keys is at most t2 2 =2 40. Effectively, n the iteation count stetches a 40-bit passwod into a 40 + log 2 c = 56-bit key. 4.1 Gaph epesentation of H Fo the pupose of the poof, we set up a gaph to epesent a andom function H and the advesay s quey pocess fo H. This gaph-based appoach allows us to visualize the advesay s knowledge gained in the quey pocess, and makes the poof moe intuitive. Let G H be a diected gaph on the vetex set {0, 1} n ; a diected edge (x, y) exists in G H if and only if H(x) =y. Hence evey vetex has out-degee 1 and G H contains 2 n edges. The advesay, by pobing a sequence of t edge H(x) =?, discoves a subgaph Q H of G H which is efeed to as the quey gaph. Since the same quey gaph Q H can aise fom diffeent functions H, it is sometimes convenient to wite Q without efeing to a specific H. 3 On a Pentium 4 unning at 2.1GHz, 2 16 SHA-1 opeations take less than 0.02 second accoding to the benchmaks fo Wei Dai s CRYPTO++ Libay.

9 4.2 Analysis of pobabilities We stat by defining two games R (fo andom ) and K (fo KDF) which coespond to the two expeiments E 1 and E 0, espectively. Fo each game, we specify how to simulate the oacle H upon advesay s queies. In the game specification, thee ae some exta computing steps they ae hidden to A and hence do not affect the behavio of A, but they will help ou analysis. We note that the two games ae vey simila, and the only diffeence is in Step 4 which is shown by the undeline. Two flags bad 1 and bad 2 ae set when cetain bad event occus. The set Y contains all distinct values of H(x) fo which x has been queied 4. Initially, H(.) is undefined. Choose p 0 Set i 0,u 0 p 0 s 0,Y {u 0,y 0}. On oacle quey H(x): PW and y 0 1. Choose y {0, 1} n. 2. If y Y,setY Y {y}. Else if y Y,setbad If x = u i and i<c 0,seti i +1andu i y. Else if x = u i and i = c 0,setbad Define H(x) =y and etun y. {0, 1} n. Fig. 1. Game R Initially, H(.) is undefined. Choose p 0 Set i 0,u 0 p 0 s 0,Y {u 0,y 0}. On oacle quey H(x): PW and y 0 1. Choose y {0, 1} n. 2. If y Y,setY Y {y}. Else if y Y,setbad If x = u i and i<c 0,seti = i +1andu i y. Else if x = u i and i = c 0,sety y 0.Setbad Define H(x) =y and etun y. {0, 1} n. Fig. 2. Game K 4 We also include u 0 = p 0 s 0 in Y is fo detecting the event that u 0 is not the fist vetex of a path. It is not necessay to do so, but makes late analysis easie.

10 In Game R, the answes seen by the advesay A ae exactly the same as in E 1. The diffeence is that the game contains two exta steps Step 2 fo detecting collisions and Step 3 fo detecting whethe H (c0) (p 0 s 0 ) has been computed. So the success pobabilities of A in game R and expeiment E 1 ae the same, which is stated in the following lemma. Lemma 1. P R [A =1]=P E1 [A =1]. In Game K, the answes seen by the advesay A ae almost the same as in expeiment E 0 with possible exception on queies H(u i ). We will show in the next lemma that this appaent diffeence will not affect A s success pobability. Lemma 2. P K [A =1]=P E0 [A =1]. Poof: In expeiment E 0, H is chosen andomly at the beginning and y 0 is then set to be y 0 = H (c0) (u 0 ). Theefoe, fo i =0, 1,...c 0 1, each value H(u i )is chosen at andom befoe the expeiment stats. In Game K, foi =0, 1,...c 0 2, each value H(u i ) is chosen at andom as the game poceeds. Only the last value H(u c0 1) is chosen at andom (to be y 0 ) befoe the game stats. Since all these values ae chosen at andom and they ae all independent of each othe, thee is no diffeence fom the advesay s point of view. Hence the success pobability of A is the same. QED Using the above lemmas, we have Adv A (t) =P R [A =1] P K [A =1].So we now conside the elation between Game R and Game K. LetBAD 1 be the event that flag bad 1 gets set, and similaly fo BAD2. Let BAD = BAD 1 BAD 2. It is easy to see that the answes seen by A ae exactly the same if neithe bad event occus. Futhemoe, each bad event occus with the same pobability in the two games. Lemma 3. (1) P R [A =1 BAD] =P K [A =1 BAD]. (2) P R [BAD] =P K [BAD]. Following a standad pobability agument (such as that in [11]), we have Adv A (t) <P R [BAD]. So we only need to deive an uppe bound on P R [BAD] fo poving the theoem. Poof of Theoem 1. Fo simplicity, we omit the R in the subscipt. P[BAD] =P[BAD 1 BAD 2 ] = P[BAD 1 ]+P[BAD 2 BAD 1 ] P[BAD 1 ] P[BAD 1 ]+P[BAD 2 BAD 1 ]. It is easy to see that P[BAD 1 ] < (t 2 /2+2t)/2 n, since the pobability of a collision within t queiesisatmost(t 2 /2)/2 n, and the pobability that any of the t values of H collide with u 0 o y 0 is at most 2t/2 n. Assuming t 4, we have P[BAD 1 ] <t 2 /2 n. We next bound the second tem P[BAD 2 BAD 1 ]. If the event BAD 1 doesn t occu, then the quey gaph consists of a set of disjoint paths on which u 0 can

11 only appea as the fist vetex. Note that BAD 2 is the event that thee is a path of length at least c 0 stating fom vetex u 0.Witht edges, thee ae at most t/c 0 such paths. Fo each path, with pobability at most 1/ PW, the fist vetex is u 0 = p 0 s 0. Hence P[BAD 2 BAD 1 ] < t/c0 PW. Combining the two uppe bounds, we obtain that Adv(t) <P[BAD] 2t2 2 n + t/c0 PW. The lowe bound can be achieved easily by computing full paths of length c 0 fo t/c 0 passwods in PW. QED 4.3 Discussions on c-th iteate of a andom function It may be helpful to eview some mathematical backgound on the c-th iteate of a andom function. Although andom functions have been studied extensively in the liteatue, the c-th iteate function H (c) has eceived elatively little attention. Fo example, it is well known that the image of a andom function has size (1 e 1 )2 n. What about the image of H (c)? At what ate does the image size decease with c? In a 1990 pape by Flajolet and Odlyzko [7] they povided answes to these questions by deiving the following ecuence. Image size of H (c) The image size of H (c) is (1 τ c )2 n,wheeτ c satisfies the ecuence τ 0 =0,τ c+1 = e 1+τc. Futhemoe, asymptotically 1 τ c =2/c. In othe wods, the image size of H (c) deceases aithmetically with c (not geometically as one might guess at fist). This illustates that H (c) is significantly diffeent fom a andom function as c gets lage, and its analysis is a nontivial matte. It is also inteesting to note that, although the image size of H (c) goes down by a facto of 2/c compaed with that of H, yet Theoem 1 shows that the attacke s wokload must incease by a facto of c. Theoem 1 poves tight bounds fo the passwod space. When t<c,the lowe bound on Adv(t) in the theoem becomes zeo. Below, we deive a nontivial lowe bound by descibing a stategy of the attacke. Let d(x) denote the numbe of divisos of x, and define d[x 1,x 2 ]=maxd(x),x 1 x x 2. Lemma 4. With t<cqueies, the attacke can achieve Adv A (t) > t 2 2 ) d[c,c t] n+1 2. n t2 2 +(1 n+1 Poof. The attacke simply computes u, H(u),H (2) (u),... iteatively and hopes that the sequence becomes peiodic, i.e., a epeated value occus befoe H (t) (u) sothath (c) (u) is detemined. The pobability fo this to happen is t(t +1)/2 n+1. In the case the chain (u, H(u),...,H (t) (u)) is not peiodic, the advesay will select a vetex on the path v = H (δ) (u) wheeδ is chosen to maximize the numbe of divisos d(c δ) fo0 δ t. The pobability of success in this case is at least d[c, c t]/2 n as stated. QED We note that, somewhat supisingly, the lowe bound gets bette with lage c, as the attacke may find a numbe c δ in the ange [c t, c] with a lage

12 numbe of divisos so that it is moe likely to have H (c) (u) =H (δ) (u) though peiodicity. In ou modelling of the passwod space, we assumed that all passwods ae of the same length l and ae chosen by uses with equal pobability. It is not difficult to extend ou analysis to obtain simila secuity bounds when these assumptions ae emoved. Fo example, let a set of passwods of abitay length be added to PW. Afte one iteation of H these points ae distibuted andomly in the domain {0, 1} n, and additional iteations (adjusting c to be c 1) would behave just as analyzed befoe. Similaly, even if the passwods have diffeent pobabilities oiginally, afte one iteation this will have no effect on the collision pobabilities which depend only on the fact pob[h(x) =y] = 1 2 in the domain n {0, 1} n. 5 Secuity analysis of KDFs in PKCS#5 In the peceding section, we analyzed the basic iteative constuction H (c).the analysis implies that the two KDFs in PKCS#5 ae weakly secue as long as the advesay s computational esouce is fa less than c PW, even though it can be much lage than PW. In what follows, we analyze the secuity of the two KDFs unde the stongly secue model that is, the advesay is allowed a few queies to F. We show that neithe KDF is secue unde this model and we also exploe how such secuity weakness can be exploited to launch attacks in pactical settings. 5.1 PBKDF1 The attack on PBKDF1 is based on an obvious elation between keys deived using the same salt. Fo any salt s and two iteation counts c 0 <c 1,lety i = F (p, s, c i )=H (ci) (p s). Then, it is easy to see that y 1 = H (c1 c0) (y 0 ). This elation allows an attacke to distinguish y 0 fom a andom function with one F quey (s, c 1 )and(c 1 c 0 ) H queies. Note that if the key y 0 = H (c0) (p s) wee eve compomised fo some eason, then any key deived using the same salt s andaniteationcountlage than c 0 would all be compomised. This might happen in pactice if the use (o the secuity administato of the system) decides to incement the iteation count. Theefoe, it is a good pactice in geneal to use diffeent salt values in deiving diffeent keys. 5.2 PBKDF2 The deived keys in PBKDF2 also suffe fom non-andomness, although the elations among keys ae slightly moe complicated. Let s be any salt value and let c 1,c 2,c 3 be thee consecutive iteation counts. Fo i =1, 2, 3, define y i = F (p, s, c i )=U 1... U ci. Then, we have y 1 y 2 = U c2 and y 2 y 3 = U c3.

13 This yields the following elation among the thee keys: (y 2 y 3 )=H p (y 1 y 2 ), whee H p () is the undelying function HMAC. This elationship among keys opens the doo to dictionay attacks. The attacke simply computes the HMAC function H p (U c2 ) fo all possible passwods p, and the passwod that gives H p (U c2 )=U c3 is vey likely to be the coect passwod used in the scheme. Once p is known, it is easy to distinguish the deived key fom a andom sting. We emak that the wokload of the above attack is PW, nomattewhatc is. This implies the iteation count does not add much (o any) potection in PBKDF2 against dictionay attacks. 6 Effects of Salt A salt seves the pupose of ceating a lage set of possible long keys coespondingtoapasswodp. If the salt is s bits long, then the numbe of possible long keys can be as lage as 2 s. Each time the KDF is executed with a salt, eithe selected by the use o geneated at andom, one of the 2 s long keys is selected. One natual question is the following: Suppose that an advesay has computed the long keys coespond to all the passwods p PW fo a salt s 1.That is, the advesay has a table of size PW in which each enty contains the value (p, H (c) (p s 1 )) fo some p PW. Does this table povide the advesay some shotcuts to deive long keys using a diffeent salt s 2 s 1? The answe is cetainly No, which is well-known in pactice. Using the gaph-based appoach, we can show that the set of paths coesponding to s 1 and the set of paths coesponding to s 2 ae all disjoint with high pobability, and hence the table fo s 1 povides essentially no infomation fo deived keys using s 2. The detailed analysis is simila to that fo Theoem 1 and thus omitted hee. 7 New poposal fo stongly secue KDF In this section, we pesent a new poposal fo stongly secue KDF based on ou study on the effects of iteation counts and salt, as well as the analysis on existing KDFs. We fist note that the gaph-based analysis povides insights on the exact way that each paamete contibutes to the oveall secuity: The computation pocess fo deiving a key coesponds to a path in the quey gaph. So choosing a lage iteation count foces the attacke to tavese a longe path fo deiving each key, while choosing a diffeent salt value foces the attacke to tavese a diffeent path in the computation. It is also easy to see why the KDFs in PKCS#5 ae not stongly secue using the quey gaph. Fo example, in the case on PBKDF1, the F queies (s, c 0 )and(s, c 1 ) coespond to two paths that ovelap. This exta infomation allows the attacke to distinguish the deived key fom a andom sting. Based on the above discussion, we can see that a stongly secue KDF should be constucted in a way that the values of y = F (p, s, c), fo diffeent p, s and

14 c, ae nealy independent of each othe. Cetainly, thee ae vaious ways of achieving this goal. Hee we popose a simple constuction that maintains the same efficiency as the KDFs in PKCS#5. The idea is to include iteation count explicitly as an input to the hash function H. Moe specifically, the new KDF is y = F (p, s, c) =H (c) (p s c). In what follows, we pove that the above KDF is stongly secue secue even when the advesay can choose (s, c) andmakef queies. We assume that thee ae lowe and uppe limits to the c i acceptable in queies to F,thatis, c <c i <c. Indeed, without a lowe limit, the advesay can always set c =1 in the F quey and then pefom an offline key seach attack with complexity O( PW ). Theoem 2. In the stongly secue model fo KDF, if the advesay makes at most t queies to H and at most m queies to F, then the maximum success pobability Adv(t, m) satisfies max( (t c )/c,m) PW < t/c +2m PW + (t + m)2 2 n. <Adv(t, m) Poof. We povide a sketch of the poof hee, and the details ae given in the appendix. The uppe bound poof uses the same type of aguments as that of Theoem 1. Moe specifically, we define two games R and K which the advesay might play. Since thee ae now two types of queies to deal with, the simulato needs to maintain some exta infomation duing the couse of the gametomakesuethatitsanswestooaclequeiesf and H ae consistent. Then following a simila analysis, we only need to bound the pobability of some bad events to obtain the uppe bound in the theoem. Fo the lowe bound, we descibe two stategies. In stategy A, the advesay computes sepaate paths of length c using queies to H and makes only one F quey. In stategy B, the advesay constucts a single path of length t and picks m appopiate vetices to make m queies to F. The success pobability is the maximum of the two as stated in the theoem. QED 8 Conclusions Passwod-based key deivation functions ae necessay in many secuity applications. Despite thei impotance and wide-spead usage, igoous analysis of such functions seems to have eceived elatively little attention in the liteatue compaed with many othe cyptogaphic schemes. In this pape, we define a geneal secuity famewok fo passwod-based key deivation functions whee salt and iteation count ae included as paametes. Unde this famewok, we focus on the most commonly used constuction

15 H (c) (p s) and pove that the iteation count c, when fixed, does have an effect of stetching the passwod by log 2 c bits. Ou analysis is done using a andom functional gaph epesenting H, conditioned upon a quey gaph epesenting infomation evealed to the attacke. It povides insights on the exact way that each paamete contibutes to the oveall secuity. We then analyze two widely deployed KDFs defined in PKCS#5. We show that both ae secue the advesay cannot influence the paametes, but ae subject to attacks othewise. We also conside how such secuity weaknesses can be exploited in pactice. Finally, based on the insight gained fom ou ealie analysis, we popose a new passwod-based key deivation that is povably secue even when the attacke has full contol of the salt and iteation count. The new poposal achieves stonge secuity while peseving the same efficiency as existing KDFs. We expect that the new poposal will find its application in pactical implementations. Acknowledgements We would like to thank the anonymous efeees fo many helpful comments. Refeences 1. M. Bellae, R. Canetti and H. Kawczyk. Keyed Hash Functions fo Message Authentication. In Advances in Cyptology Cypto 96, Spinge-Velag, Cypto M. Bellae and P. Rogaway. Random Oacles ae pactical: A Paadigm Fo Designing Efficient Potocols. In Fist ACM Confeence on Compute and Communications Secuity, S. Bellovin and M. Meitt. Encypted Key Exchange: Passwod-Based Potocols Secue Against Dictionay Attacks. In Poceedings of the IEEE Symposium on Reseach in Secuity and Pivacy, T. Dieks and C. Allen. The TLS Potocol Vesion 1.0. IETF RFC 2246, Intenet Request fo Comments, Januay A. Hevia, A. Desai, and Y. L. Yin. A Pactical-Oiented Teatment of Pseudoandom Numbe Geneatos. In Advances in Cyptology Euocypt 02, Spinge- Velag, FIPS PUB Digital Signatue Standad. National Institute of Standads and Technologies, P. Flajolet and A. M. Odlyzko. Random mapping statistics. In Advances in Cyptology - EUROCRYPT 89, Spinge-Velag, IEEE Std : Standad Specifications fo Public-Key Cyptogaphy. IEEE Compute Society, IEEE P1363.2: Standad Specifications fo Passwod-Based Public-Key Cyptogaphic Techniques. Daft D15. May J. Kelsey, B. Schneie, C. Hall, and D. Wagne. Secue Applications of Low-Entopy Keys.In Poceedings of the Fist Intenational Wokshop ISW 97, Spinge-Velag, 1998.

16 11. J. Killian and P. Rogaway. How To Potect DES Against Exhaustive Key Seach Attacks. In Advances in Cyptology - CRYPTO 96, Spinge-Velag, A. M. Odlyzko, pivate communication RSA Laboatoies PKCS#5 v2.0: Passwod-Based Cyptogaphy Standad D. Wagne and I. Goldbeg. Poofs of Secuity Fo The UNIX Passwod Hashing Algoithm. In Advances in Cyptology - Asiacypt 00, Spinge-Velag, Poof of Theoem 2 Uppe bound The uppe bound poof uses the same type of aguments as that of Theoem 1. We stat by specifying two games R and K (see Figues 3 and 4). Since thee ae now both H and F queies to deal with, the simulato needs to maintain some necessay infomation duing the couse of the game to make sue that its answes to both types of oacle queies ae consistent. Befoe diving into the detailed desciptions of the two games, it is instuctional to compae at a high level how oacle quey H is handled in Game K and Game K. The main diffeence is the additional Step 4 (maked as new) in Game K, which is fo updating the necessay infomation maintained by the simulato. In both games, the simulato keeps tack of all the F queies as well as the H queies stating at p 0 s c. Moe pecisely, it maintains a set L = {(s k,c k,y k,u k,i k )} whee each item in L is a 5-tuple such that eithe the quey (s k,c k ) has been made to F o the quey x = p 0 s k c k has been made to H. The othe thee enties ae defined as follows: If the quey to F has been made, then y k = H (c k) (x) Othewise,y k = meaning it is still undefined. If the quey to H has been made, then i k is the numbe of consecutive queies to H made thus fa stating at x, andu k is the last answe. as shown in Theoem 1, except that c 0 is eplaced with its lowe limit c. Next, we conside the effect of F queies. We obseve that (unlike in the poof of Theoem 1) x j = p 0 s j c j doesn t have to be the fist vetex of a path, since the advesay is allowed to choose (s k,c k ) and make a quey to F, and this povides the advesay moe chances of success. To quantify this advantage, we conside the numbe of vetices of the fom {p s i c i, 1 i m}, denoted by m. The success It also maintains the set of all stating points in L, thatis,asetx = {x k } whee x k = p 0 s k c k. Following simila analysis as that of Theoem 1, we have that Adv A (t, m) < P[BAD] P[BAD 1 ]+P[BAD 2 BAD 1 ] P[BAD 1 ]. So we only need to deive an uppe bound on the pobability of each bad event. Analyzing the fist tem is staightfowad. Since thee ae t + m queies in total, P[BAD 1 ] < (t + m) 2 /2 n. Analyzing the second tem P[BAD 2 BAD 1 ] is somewhat moe complex. Fist, let Q 1 be the quey gaph coesponding to the thqueies. If the attacke uses only Q 1, its success pobability is bounded by t/c PW

17 Initially, H(.) andf p0 (.,.) ae both undefined. Choose p 0 PW and y 0 {0, 1} n. Set i 0 0,x 0 p 0 s 0 c 0,Y {y 0}. Set X {x 0},L {(s 0,c 0,y 0,u 0,i 0)}. Set j 0. On oacle quey H(x): 1. Choose y {0, 1} n. 2. If y Y,setY Y {y}. Else if y Y,setbad If x = x k X and i k <c k,seti k i k +1andu k y. Else if x = x k X and i k = c k,sety y k.setbad (newstepcompaedwithgamek) If x X and x = p 0 s c, thenx X x and add a new item in L: j j +1,s j s, c j c, y j,u j x, i j 1 5. Define H(x) =y and etun y. On oacle quey F p 0 (s, c): 1. Choose y {0, 1} n. 2. If y Y,setY Y {y}. Else if y Y,setbad Let x = p 0 s c. If x = x k X and i k <c k,sety k y. Else if x = x k X and i k = c k,sety y k.setbad If x X, thenx = X x and add a new item in L: j j +1,s j s, c j c, y j y, u j x, i j 0 5. Define F p 0 (s, c) =y and etun y. Fig. 3. Game K Game R isthesameasgamek, except that the execution of the undelined step (y y k ) is emoved. Fig. 4. Game R

18 pobability using F queies is bounded by m / PW. Notethatm = m + q whee q is the expected numbe of collisions in s c among all the vetices p s c in Q 1. Since the expected value of q is t PW /2 n << 1, it can be shown that the pobability that m = m + q m + m =2m is negligible. Combining all the pobabilities, we pove that Adv(t, m) is bounded by t/c +2m PW + (t+m)2 ) 2 ) as stated. n Lowe bound Fo the lowe bound, we descibe two stategies fom which the advesay can pick the one yielding bette success pobability depending on the paametes. In stategy A, the advesay computes sepaate paths of length c fo (t c )/c passwods p i s c using t c queies to H. HethenmakesaF quey asking fo y = Fp (s, c ). With pobability (t c )/c / PW, vetexy coincides with the endpoint of one of the paths, thus evealing the passwod p 0.Insuchanevent the advesay then makes c 0 moe H queies to compute y 0 = H(c0) (p 0 s 0 c 0 ) and answes 1 if y 0 = y 0. All togethe the advesay used at most t queies to H and one F queies to achieve success pobability of (t c )/c / PW. In stategy B, the advesay constucts Q 1 to be a single path of length t stating fom an abitay p s c. With pobability 1 O(t 2 /2 n ), the path will be cycle-fee. Its fist t c vetices p i s i c i have thei full paths T pi s i c i completely contained in Q 1. Assuming m to be much smalle than t c, the advesay can pick m vetices p i s i c i along the path with distinct p i and make at most m queies to F with the coesponding (s i,c i ) s. With pobability m/ PW, itcan identify the passwod. This completes the poof of Theoem 2. QED

Design and Analysis of Password-Based Key Derivation Functions

Design and Analysis of Password-Based Key Derivation Functions Design and Analysis of Passwod-Based Key Deivation Functions 245 Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science, City Univesity of Hong Kong, Kowloon, Hong Kong csfyao@cityu.edu.hk