Edit

TCryptoPasswordHash

Password Hashing

Secret keys used to encrypt or sign confidential data have to be chosen from a very large keyspace.

However, passwords are usually short, human-generated strings, making dictionary attacks practical.

Password hashing functions derive a high-entropy secret key of any size from a password.

The generated key will have the size defined by the application, no matter what the password length is.

  • The same password hashed with same parameters will always produce the same output.
  • The function deriving a key from a password is CPU intensive, to mitigate brute-force attacks by requiring a significant effort to verify each password.

Common use cases:

  • Password storage, or rather: storing what it takes to verify a password without having to store the actual password.
  • Deriving a secret key from a password, for example for disk encryption

Example

SuperStrict

Framework brl.standardio
Import Crypto.Crypto

Const OPS_LIMIT:Int = 10000

Local password:String = "Password123"

' generate a master key
Local masterKey:TCryptoPWHashMasterKey = TCryptoPasswordHash.KeyGen()

Print "Master key : " + masterKey.ToString()

Local storedKey:TCryptoPWHashStoredKey

' calculate stored key based on password, master key and parameters
TCryptoPasswordHash.Create(storedKey, password, masterKey, OPS_LIMIT, 0)

Print "Password Hash : " + storedKey.ToString()

' verify the password against the stored key
Verify(storedKey, password, masterKey)

Local wrongPass:String = "password123"

' try to verify the wrong password against the stored key
Verify(storedKey, wrongPass, masterKey)


Function Verify(storedKey:TCryptoPWHashStoredKey, password:String, masterKey:TCryptoPWHashMasterKey)
    If TCryptoPasswordHash.Verify(storedKey, password, masterKey, 50000, 0) Then
        Print "Verified"
    Else
        Print "Invalid"
    End If
End Function

Functions

Function KeyGen:TCryptoPWHashMasterKey()

Generates a key used to encrypt all hashed passwords, along with their parameters.

Hashed passwords and master keys should be stored in different places: hashed passwords are typically stored in a database, whereas the master key can be statically loaded or hardcoded in the application.

If the database ever gets breached, the list of hashed passwords will be completely useless without the master password.

The storage format supports reencryption and algorithm upgrades.


Function Deterministic:Int(h:Byte Ptr, hLen:Size_T, password:String, context:String, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Derives a deterministic high-entropy key of any length (@hLen bytes) from a password, a context, a master key masterKey and a set of parameters for the hash function.

The resulting key is put into h.

  • opslimit is the number of iterations. The higher the number, the slower the function will be, and the more secure the end result will be against brute-force attacks. This should be adjusted according to the hardware, and to application constraints.
  • memlimit is the maximum amount of memory to use. The current function use a fixed amount of memory, and ignores this parameter. It can be unconditionally set to 0.
  • threads is the number of threads. The current function ignores this parameter. It can be unconditionally set to 1.

This function can be used to derive a key from a password if no other information has been stored. For example, it can be used to encrypt/decrypt a file using nothing but a password.


Function Deterministic:Int(h:Byte[], password:String, context:String, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Derives a deterministic high-entropy key of any length from a password, a context, a master key masterKey and a set of parameters for the hash function.

The resulting key is put into h.

  • opslimit is the number of iterations. The higher the number, the slower the function will be, and the more secure the end result will be against brute-force attacks. This should be adjusted according to the hardware, and to application constraints.
  • memlimit is the maximum amount of memory to use. The current function use a fixed amount of memory, and ignores this parameter. It can be unconditionally set to 0.
  • threads is the number of threads. The current function ignores this parameter. It can be unconditionally set to 1.

This function can be used to derive a key from a password if no other information has been stored. For example, it can be used to encrypt/decrypt a file using nothing but a password.


Function Create:Int(stored:TCryptoPWHashStoredKey Var, password:String, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Computes a fixed-length (#CRYPTO_PWHASH_STOREDBYTES bytes), hashed, encrypted, authenticated representative of the password, that can be safely stored in a database.

This representative can be used to later check if a user provided password is likely to be the original one, without ever storing the password in the database.

The function encrypts and authenticates the representative and the parameters using the master key masterKey. All passwords can safely be encrypted using the same, long-term master key. Applications can also choose to derive masterKey from a master-master key, and a unique user identifier.

The representative includes opsLimit, memLimit and threads: these do not have to be stored separately.

Note that the representative is not a string: this is binary data, that must be stored as a blob in a database, or encoded as a string (for example as a hex value or using a safe base64 variant).


Function Verify:Int(stored:TCryptoPWHashStoredKey, password:String, masterKey:TCryptoPWHashMasterKey, opsLimitMax:ULong, memLimitMax:Size_T, threadsMax:Int = 1)

Verifies that the password is valid for the stored representative stored, decrypted using masterKey.

opslimitMax, memlimitMax and threadsMax are maximum values, designed to prevent DoS attacks against applications if the input is untrusted. They should be set to the maximum values ever used in the Create() function.

If the encoded parameters in the representative exceed these values, the function returns False.

If the representative cannot be decrypted, the function returns False without even trying to hash the password.

If the password doesn't appear to be valid for the stored representative, the function returns False. If the password passes all the checks, the function returns True.


Function DeriveStaticKey:Int(staticKey:Byte Ptr, staticKeyLen:Size_T, stored:TCryptoPWHashStoredKey, password:String, context:String, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Fills staticKey with staticKeyLen bytes derived from the representative for password.

Verifies that password is valid for the representative. If this is the case, it fills staticKey with staticKeyLen bytes derived from that representative, and returns True.

If the password doesn't appear to be valid for what was stored, the function returns False.

This function can be used to derive a deterministic, high-entropy key from a password and user-specific data stored in a database.


Function DeriveStaticKey:Int(staticKey:Byte[], stored:TCryptoPWHashStoredKey, password:String, context:String, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Fills staticKey with bytes derived from the representative for password.

Verifies that password is valid for the representative. If this is the case, it fills staticKey with bytes derived from that representative, and returns True.

If the password doesn't appear to be valid for what was stored, the function returns False.

This function can be used to derive a deterministic, high-entropy key from a password and user-specific data stored in a database.


Function Reencrypt:Int(stored:TCryptoPWHashStoredKey, masterKey:TCryptoPWHashMasterKey, newMasterKey:TCryptoPWHashMasterKey)

Reencrypts a representative stored using the current master key masterKey and a new master key newMasterKey.

It updates stored in-place and returns True on success. If the representative couldn't be decrypted using masterKey, the function returns False.


Function Upgrade:Int(stored:TCryptoPWHashStoredKey, masterKey:TCryptoPWHashMasterKey, opsLimit:ULong, memLimit:Size_T, threads:Int = 1)

Upgrades in-place a previously computed representative stored encrypted using the master key masterKey, to the new parameters opslimit, memlimit and threads.

If previously passwords become too fast to verify after a hardware upgrade, stored representatives can be upgraded with new parameters without requiring the original passwords.

Note that parameters can only be increased. Trying to reduce the value of an existing parameter will not change the original value.

Returns

True on success, or False if the data couldn't be decrypted using the provided master password.


TCryptoPWHashStoredKeyIntroduction