Which Crypto Hashing Method is a Gas … And is as Slow as You Want and breaks GPUs?

The Hashing Method Designed To Defeat GPUs

Which Crypto Hashing Method is a Gas … And is as Slow as You Want and breaks GPUs?

The Hashing Method Designed To Defeat GPUs

Introduction

Did you know that every eight character password (in lowercase) is cracked by brute force within less than 10 seconds on a GPU device? And if you use a nine character password it takes less than 10 minutes to crack them (using lowercase letters)? Adding a number to the end, or making the first letter uppercase makes very little difference in the cracking challenge [here]:

Here is me using an eight GPU instance in the Amazon Cloud (cost of $7/hr):

Thus we need to give up on our traditional ways of generating encryption keys or in creating hashed versions of passwords, as our passwords are often guessable. For MD5 we can now get billions or even trillions or hashes per second, where even 9 or 10 character passwords can be cracked for a reasonable financial cost. This includes salting of the password, as the salt is contained with the hashed password, and can be easily cracked with brute force (or dictionaries).

Argon2

The alternative is to use a hashing method which has a cost in memory, and for CPU processing. We also want to create a method which makes it difficult to apply parallel threads (and thus run it on GPUs). So step forward Argon2, which was designed Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich as a key derivation function. It was a winner of the Password Hashing Competition in July and is robust against GPU attacks.

It is resistant to GPU attacks, and also has a memory cost. The costs execution time (CPU cost); memory required (memory cost); and degree of parallelism.

The parameters include:

  • Password (P): Defines the password bytes to be hashed.
  • Salt (S): Defines the bytes to be used for salting.
  • Parallelism (p): Defines the number of thread that required for the parallelism.
  • TagLength (T): Define the number of bytes to return for the hash.
  • MemorySizeKB (m): Amount of memory (in KB) to use.

A sample run is [here]:

Message:	abc
Hash:		$argon2i$v=19$m=8,t=1,p=1$x/3yHil0MIE$RDL1Jw
Verified:	True

A sample benchmark using n (for time cost), p (for parallelism) is:

We can see that for an n value of 128 (CPU cost), that the time to compute a hash value is 0.105 seconds (which would give a hashing function of just 10 hashes per second), but for n=8,192 it is 5.78 seconds (which is probably too long for a user login). We must thus select a cost value which gives a reasonable time to compute, but is also robust against attacks. The message (m) is defined in log₂(m), and where, in this case, m is 2⁸ bytes [full test]

An outline of the Python code is:

Conclusion

If your adversary has a whole set of GPUs, be worried. A standard NVIDIA card costs less than $1K, and you can even rent a machine with eight of them in the EC2 cloud for just $7/hr.

While Argon2 has not been fully evaluated, it does seem to be a good contender, alongside BCrypt, PBKDF2 and Scrypt (“ess-crypt”).