Cryptography
hash passwords key-exchange pbkdf-2 srp
Updated Wed, 20 Jul 2022 10:29:54 GMT

Can I use a key-derivation-function as the hash function H in SRP?


In the Secure Remote Password Protocol, the verifier must be stored on the server. In the case of a server compromise, an attacker could obtain these verifiers. If nobody reused passwords, this wouldn't be a big deal (as the users' data is probably also compromised). However since people do reuse passwords it seems a good idea to make offline attacks against the password file difficult.

SRP is based off of a cryptographic hash H; part of the cost of an offline attack would be calculating H, so using an expensive hash for this step seems good. However, I am unsure of the suitability of tunably expensive hashing mechanisms (e.g. PBKDF2, bcrypt, scrypt) for this.




Solution

RFC 2945 By Tom Wu the SRP inventor uses x = H(s, H(I, ":", p)) where I is the username demonstrating that can do anything you like to the stretch the password such as prefixing the username then hashing it. So stretching the user entered password before putting it into function using PBKDF2 would increase the time taken for a dictionary attack with no effect on the strength of the protocol e.g. x = H(s, PBKDF2(p))

(Edit Note the design document uses x = H(s, p) but the SRP-6a paper linked to from that page uses x = H(s, I, P) so both differ from the RFC.)

Swapping H for PBKDF2 throughout the protocol would slow down the server drastically. With an online dictionary attack you want the attacking client to run slow without it tying up server resources. This suggests only slowing down the x function whilst keeping a good hashing function like SHA256 or better throughout the rest of the protocol. Also as @otus points out in a comment with an offline attack on a captured verifier they don't need to run the full protocol only the steps to generate the verifier. Again this means that there is no benefit to slowing down the full protocol.

Changing the x function to only use the key stretching algorithm with x = PBKDF2(s, p) slows down the server. The purpose of running the key stretching algorithm is to slow down the client so use both H and PBKDF2 by using the RFC function for x but stretching the raw password then passing into the RFC function giving x = H(s, H(I, ":", PBKDF2(p))).

The advantage of that approach is you actually dont have to change your SRP implementation at all. You simply stretch the password at the point of input then pass the stretched password to your SRP implementation. No changes are required at the server to support stretching. Any brute force attack against a leaked verifier is slowed by stretching.





Comments (2)

  • +0 – That's a good point that only the calculation of x need be slowed down to prevent an offline attack against a weak p given v, which is what I was concerned about. — Oct 14, 2015 at 02:22  
  • +0 – @Aidenn it's a good idea to AES encrypt the verifier in the database to protect offsite backups from an offline attack. — Oct 16, 2015 at 16:47