Passwords are hashed everywhere: operating systems, smartphones, web services, disk encryption tools, SSH private keys, etc. Hashing passwords mitigates the impact of a compromised database by forcing attackers to bruteforce passwords. Bruteforce is easier when the hash function is not "salted", fast to evaluate, and easy to implement as multiple parallel instances on GPUs or multi-core systems. However existing solutions are not satisfactory, and the huge majority of systems rely on weak hashes (eg. leaks from Sony, LinkedIn, or more recently Evernote).
After a brief introduction of the problem and previous solution attempts, this talk presents a roadmap towards new improved hashing methods, as desired by a number of parties (from industry and standardization organizations).
First, we'll enumerate the technical challenges for software and security engineers as well as cryptographers and attackers, discussion questions like: why, counter-intuitively, parallelism is desirable? How can complexity theory benefit password hashing? How to define a metric that encompasses performance on GPUs and ASICs? Should hashing be performed by the client, server, or both? What about DoS induced by slow hashing? etc.
Then we'll describe the initiative that motivated this talk: the Password Hashing Competition (PHC), a project similar to the pure-cryptography competitions AES, eSTREAM, or SHA-3, but focused on the password hashing problem: the PHC gathers the leading experts from the password cracking scene as well as cryptographers and software engineers from academia, industry, as well as NIST, to develop the hashing methods of the future.
Jean-Philippe Aumasson is principal cryptographer at Kudelski Security, Switzerland, and holds a PhD in cryptography from EPFL. He is known for designing the cryptographic functions BLAKE (one of 5 SHA-3 finalists), SipHash (OpenDNS, Perl, Ruby, etc.), BLAKE2 (Pcompress, WinRAR, etc.). He authored more than 30 research articles in the field of cryptography and cryptanalysis, and talked at a number of security cons including Black Hat AD and 29c3. In 2013 he initiated the Cryptography Coding Standard (https://cryptocoding.net) and the Password Hashing Competition (https://password-hashing.net), which are open, collaborative, and vendor-neutral projects aimed to improve the overall state of security.