1

Note: I am relatively new to cryptography in general, so please point out if I make any
misconception here.

I heard that you should always use well known crypto/hash functions, that have already been extensively tested and studied. -and I agree with that- I also read that using scrypt can be risky because it is still in its early years, but it seems to solve problems like attacks using FPGAs or GPUs.

"My" great idea was to use two hashes! One extensively tested like PBKDF2 and scrypt after it! So I would be in theory protected by scrypt and if any bugs/exploits/problems with it are found, I still have the protection of well know protection provided by PBKDF2!

Are there any flaws on this idea?

No, it is not a duplicate of this question: This question “Double hashing” with 2 different hash functions says that I would not benefit by using two hashes, but it is regarding sha256 and sha512, so I am not certain if this also applies to PBKDF2 and scrypt.

On the other hand, this post here Are different hash algorithms ever used together? says that if used as Composition it would offer "preimage resistance is at least as good as the strongest of the two functions, but for collisions the weakest function defines the overall resistance". As far as I know, collisions would not be the issue here...

You can assume that I just want to hash and store passwords.

Community
  • 1
Xaphanius
  • 111
  • 3
  • 1
    possible duplicate of [“Double hashing” with 2 different hash functions](http://security.stackexchange.com/questions/11679/double-hashing-with-2-different-hash-functions) – Xander Aug 11 '15 at 20:30
  • 5
    Quoting the OP: "This question “Double hashing” with 2 different hash functions says that I would not benefit by using two hashes, but it is regarding sha256 and sha512, so I am not certain if this also applies to PBKDF2 and scrypt." – Xaphanius Aug 11 '15 at 20:31
  • The short answer is that *theoretically*, this is no weaker than the strongest of the two hashes. The caveats are that in reality, a particularly bad implementation of the inner KDF could leak enough information to an attacker through side channels to break the construction, although this is unlikely in practice. Additionally, every line of crypto glue you write is an opportunity to introduce a security flaw. That said, I personally would simply either pick one of bcrypt or scrypt and move on to solving more pressing problems — the gain of using both is overwhelmingly likely to be zero. – Stephen Touset Aug 13 '15 at 01:01

2 Answers2

3

You should really stray away from rolling your own crypto implementation. Why not use bcrypt for password storage? It's been tested extensively for that and works quite well.

Some advantages it has are:

  • Resistance to brute-force
  • Resistance to rainbow tables
  • Salt generation
  • Scalable speeds via setting the rounds of hashing
  • Built upon blowfish algorithm
  • Well, I think that just applying two hashes isn't really considered my own crypto implementation, but it is possible to argue about it. As stated in this question http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846, it is possible to make use FPGAs to run many bcrypt implementations in parallel. And it is something that I would be avoiding using the double hash I proposed. – Xaphanius Aug 11 '15 at 20:39
  • The problem is you would be avoiding it only until scrypt gets marked as bad (some serious weakness is found by excessive testing) or in the other case you end up using bcrypt for no reason (only wasting system resource and hurting your performance) as scrypt provides the security you need. – bayo Aug 11 '15 at 20:56
  • generally true but with bcrypt you need to watch out for some things like null bytes and the length of the password, where it may sometimes be a viable way to use a SHA256 or something on that line before using bcrypt to overcome the smaller problems of bcrypt. – My1 Sep 14 '17 at 09:54
-2

PBKDF2 is not a hashing algorithm per se. It key derivation function (KDF) which "harden" the hashing algorithm you've chosen. Scrypt is also a KDF, so it does not make any additional protection to use two similar functions. As you wrote, the strength will be as good as the strongest of the chosen two.

And, as Revulai said in her good answer, you shouldn't play cryptographer, leave it to those who are expert in that matter. We should just follow the current best practices.

boleslaw.smialy
  • 1,627
  • 2
  • 15
  • 25
  • A key derivation function does not harden a hashing algorithm. It is more like a way to convert a password into a cryptographic key. For example, you'll note the wikipedia article you linked says that HMAC-SHA1 is used for WPA2 -- in other words, the hash function is SHA1 in that case. PBKDF2 generalizes a bit -- it lets you plug in different hash functions. However adds some stuff to the hash specific to passwords (which can be considered *hardening*). – Rens van der Heijden Aug 12 '15 at 07:19
  • That's why I put it in quotes ... – boleslaw.smialy Aug 12 '15 at 07:55
  • 1
    @RensvanderHeijden Also, a KDF can be used to derive purpose-specific subkeys from a single master key (for instance, HKDF). – Stephen Touset Aug 13 '15 at 00:55