Content deleted Content added
→Password hashing: password verification by hash comparison https://en.m.wikipedia.org/w/index.php?title=Cryptographic_hash_bgfhfunction&action=edit&redlink=1 Tags: Reverted Mobile edit Mobile web edit |
|||
| (4 intermediate revisions by 3 users not shown) | |||
Line 7:
==History==
The first{{citation needed|date=June 2015}} deliberately slow (key stretching) password-based key derivation function was called "[[crypt (C)|crypt]]" (or "crypt(3)" after its [[manual page (Unix)|man page]]), and was invented by [[Robert Morris (cryptographer)|Robert Morris]] in 1978. It would encrypt a constant (zero), using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified [[Data Encryption Standard|DES]] encryption algorithm (in which a 12-bit number read from the real-time computer clock is used to perturb the calculations). The resulting 64-bit number is encoded as 11 printable characters and then stored in the [[Unix]] password file.<ref>{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | archive-url=https://web.archive.org/web/20030322053727/http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | url-status=dead | archive-date=2003-03-22 | title=Password Security: A Case History. | work=Bell Laboratories | author1=Morris, Robert | author2=Thompson, Ken | date=1978-04-03 | access-date=2011-05-09 }}</ref> While it was a great advance at the time, increases in processor speeds since the [[PDP-11]] era have made [[Brute-force attack|brute-force attacks]] against crypt [[Feasible computability|feasible]], and advances in storage have rendered the 12-bit [[Salt (cryptography)|salt]] inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong [[passphrase]]s impossible.{{citation needed|date=July 2013}}
Although high throughput is a desirable property in general-purpose hash functions, the opposite is true in password security applications in which defending against brute-force cracking is a primary concern. The growing use of [[Massively parallel|massively-parallel]] hardware such as [[Graphics processing unit|GPUs]], [[Field-programmable gate array|FPGAs]], and even [[Application-specific integrated circuit|ASICs]] for brute-force cracking has made the selection of a suitable algorithms even more critical because the good algorithm should
In June 2017, The U.S. National Institute of Standards and Technology (NIST) issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3,<ref name=sp800-63B />{{rp|5.1.1.2}} stating that: "Verifiers SHALL store memorized secrets [i.e. passwords] in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive."
Line 37:
== Password hashing ==
Despite their original use for key derivation, KDFs are possibly better known for their use in '''password hashing''' ([[cryptographic hash
In 2013 a [[Password Hashing Competition]] was announced to choose a new, standard algorithm for password hashing. On 20 July 2015 the competition ended and [[Argon2]] was announced as the final winner. Four other algorithms received special recognition: Catena, [[Lyra2]], Makwa and [[yescrypt]].<ref>[https://password-hashing.net/ "Password Hashing Competition"]</ref>
Line 46:
# [[scrypt]] if Argon2id is unavailable
# [[bcrypt]] for legacy systems
# [[PBKDF2]] if [[FIPS-140]] compliance is required
== References ==
| |||