Questions tagged [key-stretching]

Key-stretching adds additional security to potentially weak keys by requiring an expensive computation to transform the initial key into a derived key.

Key-stretching is a term used to describe several methods of increasing the security of a system that is dependent on a key of low entropy. These systems are vulnerable to a brute-force attack, where an attacker simply tries every possible key value until the correct key is found. If the number of possible inputs is relatively small, such an attack can be executed relatively quickly. Older encryption algorithms with smaller key sizes, and systems based on a user-specified password as the source of entropy, are examples of systems that benefit from key-stretching.

Note that lengthening a key, by taking an input representing a small number of bits of entropy, and passing it through a hash function that produces a digest representing significantly more bits of entropy, does not increase security; because the number of inputs is still limited, the number of possible hash digests is also limited, and most hash functions designed for general cryptographic use (such as verifying digital certificates) are designed to execute quickly, and so the requirement to generate the hash is no real impediment to an attacker.

The primary technique under this umbrella is to increase the length of the key itself, by taking the initial key and performing a computationally expensive transformation on it to produce a larger key that can be used in a secure encryption algorithm. This increased amount of time required to perform the operation on one possible key is relatively small when employed by a legitimate user with the correct input key, but for an attacker attempting to brute force that input key the added time required for each attempt makes the approach unfeasible.

This strategy is commonly used for password strengthening; passwords, typically based on dictionary words or proper names with small modifications, are notoriously low in entropy; a simple dictionary word 8 characters long has only 12 bits of entropy inherent in it. Algorithms performing this function are known as Key Derivation Functions or KDFs, and include PBKDF2, BCrypt, and SCrypt, all of which are typically used to generate hashes or keys based on user passwords for verification, and are capable of varying the amount of complexity required to generate the hash value, thus allowing them to keep pace with increases in computing power over time.

Other techniques target legacy encryption algorithms, which are limited in their maximum key size based on the limited memory of systems in use at the time they were designed. DES is an example; it has a maximum key length of 56 bits, which can be brute-forced in reasonable time given current computing hardware. In 1999, a combination of two distributed network operators colluded to break a DES-encrypted message in 22 hours, 15 minutes. For sensitive information, which may remain so for years or indefinitely, this is unacceptable.

To mitigate this vulnerability, cryptographers developed a variant where the basic DES cipher would be executed three times per block; the plaintext would first be encrypted with one 56-bit key, then that ciphertext would be encrypted with a second key, then that ciphertext would be encrypted with a third key to produce the final output block. The resulting algorithm, Triple-DES, has a total key length of 168 bits, which is long enough to resist brute-force cracking even by large distributed systems. TripleDES is still secure today, although the algorithm has been largely replaced in new systems by the faster and more flexible AES algorithm.

21 questions
14
votes
2 answers

Is KeePass's method for key derivation secure?

I'm familiar with how key derivation functions can be used to slow down brute force attacks against passwords by requiring significant computational and/or memory resources to compute the final key. Common KDFs I'm aware of are bcrypt, PBKDF2, and…
Ajedi32
  • 4,637
  • 2
  • 26
  • 60
13
votes
3 answers

Can I use the same password both for SRP and for client-side encryption?

Suppose a less-than-trusted server is used to store users' confidential data (encrypted at the client side), and both tasks - authentication and encryption/decryption - should be doable with a single password. Would it be enough to: Strenghten the…
mgibsonbr
  • 2,905
  • 2
  • 20
  • 35
10
votes
1 answer

Does 7-Zip really run multiple rounds of SHA-256 when key stretching?

Recently I was testing whether I could make 7-Zip archives more bruteforce-resistant. Both someone on Wikipedia and @kelalaka on this website make the following claim: The 7z format supports encryption with the AES algorithm with a 256-bit key. The…
d33tah
  • 6,524
  • 8
  • 38
  • 60
7
votes
2 answers

Do GPG and OpenSSH use key stretching on their keypairs?

Both OpenSSH and GPG can generate key pairs which are stored as files in well-known paths inside the user directory. A passphrase is always asked for during the generation process, which is then used to encrypt the contents of the private key using…
5
votes
1 answer

Is it possible to use parallelism when computing a key derivation function for a single password/key?

Suppose I have an AES-256 encrypted file, and I want to derive the key using PBKDF2 and a given salt with a large number of rounds (say 1 million), but I'm limited by user tolerance for UI lag when entering their password. Is it possible to compute…
samgak
  • 2,058
  • 1
  • 8
  • 11
4
votes
2 answers

BCrypt+SHA256 vs PBKDF2-SHA256

From this question, the OP posited taking a user's entered password, running it through BCrypt, then running that through SHA256 to produce a 256-bit password-derived key. (EDIT: To clarify, these two options are considered as producing a single key…
KeithS
  • 6,678
  • 1
  • 22
  • 38
4
votes
1 answer

Why isn't it more popular to increase the p (parallelization) parameter of scrypt?

First of all, the understanding I have of the p parameter in scrypt is that it multiplies the amount of work to do, but in such a way that the additional workloads are independent from each other, and can be run in parallel. With the interpretation…
3
votes
1 answer

Length of a stretched gnupg passphrase that is comparable in strength to an unstretched string of 256 random bits

Assume that we want to encrypt a file with gnupg using AES-256 as the encryption algorithm. (Hence, symmetric encryption.) In this mode, gnupg requires a passphrase from the user. I understand that gnupg then derives from this passphrase a 256-bit…
kjo
  • 1,043
  • 2
  • 9
  • 15
3
votes
2 answers

Naive key stretching vs PBKDF2

What are the drawbacks of using a trivially simple key stretching approach such as the below Python example, compared to something like PBKDF2? The purpose is to harden an AES-encrypted file against brute-forcing. Are there any critical issues with…
John Blatz
  • 991
  • 10
  • 16
3
votes
1 answer

Key stretching approaches

I've seen that a number of key stretching algorithms and they involved increasing the number of operations needed to compute the key(i.e. the number of rounds within a hash function). But, I wonder if these approaches are more secure as they…
Sebi
  • 1,391
  • 9
  • 16
2
votes
2 answers

Is upgrading key-stretching algorithms and/or repetitions a thing?

Consider back in the 90s you're ahead of the curve, you hashed and salted your passwords with SHA, and you're a big site, millions of accounts, etc. Well the web evolves, and over time more advanced security measures become expected and common…
Andrew Hoffman
  • 1,987
  • 14
  • 17
1
vote
2 answers

Should hashing hashed hashes colide or not?

Since key stretching basically boils down to hashing hashes over and over again (where salt, pepper and password individualize the hash function, but the principle remains the same), I wonder about this question. On the one hand, hashes should be as…
Tobias Kienzler
  • 7,578
  • 10
  • 43
  • 66
1
vote
1 answer

AES-256 without key stretching

It is not so difficult to create a password which is exactly 32 characters long. In this question - AES-256 Key Length Importance @Marc writes: you absolutely should not be using a password as the raw key ..and in this one @Filip_Franik…
cardamom
  • 359
  • 2
  • 9
0
votes
1 answer

Should I stretch the secret key in a secure cookie protocol implementation?

I'm building an api authentication layer that basically works like the secure cookie protocol, where instead of a cookie I give the api client a token which they must provide on subsequent requests. That token is signed via HMAC using a secret key…
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
0
votes
2 answers

Password stretching using concatenation of hashes

I'm working on a simple file encryption tool. Basically, here's how my program works: password = get_user_typed_password() salt = uuid4() key = bcrypt(password + salt) cipher = AES(key) for block in input_file: …
SuperPython
  • 399
  • 2
  • 8
1
2