Yesterday, an effort to produce a new Password Hashing Algorithm was announced. Dennis Fisher describes the initiative in his 2013-02-15 Kaspersky threatpost article, “Cryptographers Aim to Find New Password Hashing Algorithm.” Here’s my comment.
First, the article suggests that the NIST competition to choose a new cryptographic hash algorithm to be standardized as SHA-3 has not concluded. NIST selected KECCAK as the basis for SHA-3 last year. KECCAK has many applications and it will be a while before the its application in an SHA-3 will be standardized (in an anticipated FIPS 180-5). See the 2013-02-06 presentation, “Keccak and the SHA-3 standardization.”
There’s also a remark concerning the ability to attack PBKDF2 easily. PBKDF2 is an iterative, salted key-transformation procedure that can be based on a chosen PRF for the transformation. It is typical for PBKDF2 to conduct a large number of HMAC-SHA1 iterations. Other MACs can be used. The idea is to raise the work factor to make brute force attack on the password infeasible. The problem with PBKDF2-derived hashes as a password authentication approach is not the ease of attack but the imposition of that work factor on server-side authentication procedures.
So long as the password-based authentication procedure is required to be efficient and economical, the problem is not the hash. The problem is the password choice and the poor security that allows the hash to become known. Once the hash is disclosed, adversaries have the same efficiency advantage, and all the time and resources they need, to discover the password. Improving the hash does little to mitigate this serious problem. New password protocols are required.
I’ve gathered my considerations on what is required to confine the consequences of hash disclosure. The particular framework for minimizing password discovery is not important, it is the considerations that I believe apply to any such effort: “AuthzN Password-Independent Keys.”