Abstract
Even if combined with other techniques, passwords are still the main way of authentication in many services and systems. Attackers can usually test many passwords very quickly when using standard hash functions, so specific password hashing algorithms have been designed to slow down brute force attacks.
Spritz is a sponge-based stream cipher intended to be a drop-in replacement for RC4. It is more secure, more complex and more versatile than RC4. Since it is based on a sponge function, it can be employed for other applications like password hashing.
In this paper we build upon Spritz to construct a password hashing algorithm and study its performance and suitability.
References
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions (2011). http://sponge.noekeon.org/
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications. In: Password Hashing Competition Winner (2016). https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_1
Forler, C., Lucks, S., Wenzel, J.: The Catena Password-Scrambling Framework. Version 3.2, Bauhaus-Universitt Weimar (2015). https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v3.2.pdf
Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)
Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. Internet Engineering Task Force, Network Working Group, Request for Comments (RFC) 2898 (2000). https://tools.ietf.org/html/rfc2898#section-5.2
Klein, A.: Attacks on the RC4 stream cipher. Des. Codes Crypt. 48(3), 269–286 (2008). Springer
Paul, G., Maitra, S.: RC4 Stream Cipher and Its Variants. CRC Press, Boca Raton (2012)
Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan - The BSD Conference (2009). http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf
Pornin, T.: The MAKWA Password Hashing Function. Version 1.1. Password Hashing Competition finalist (2015). http://www.bolet.org/makwa/makwa-spec-20150422.pdf
Provos, N., Mazieres, D.: A Future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX track, pp. 81–91 (1999)
Rivest, R.L.: The RC4 Encryption Algorithm. RSA Data Security Inc. (1992)
Rivest, R.L., Schuldt, J.: Spritz - a spongy RC4-like stream cipher and hash function. In: Presented at CRYPTO 2014 Rump Session (2014). http://people.csail.mit.edu/rivest/pubs/RS14.pdf
Sengupta, S., Maitra, S., Paul, G., Sarkar, S.: RC4: (Non-) random words from (non-) random permutations. IACR Cryptology ePrint Archive 2011:448 (2011)
Simplicio, M.A., Almeida, L.C., Andrade, E.R., dos Santos, P.C.F., Barreto, P.S.L.M.: Lyra2: Password hashing scheme with improved security against time-memory trade-offs. IACR Cryptology ePrint Archive 2015:136 (2015)
Solar Designer: yescrypt - password hashing scalable beyond bcrypt and scrypt. Presented at PHDays 2014. Openwall (2014). http://www.openwall.com/presentations/PHDays2014-Yescrypt/PHDays2014-Yescrypt.pdf
Zoltak, B.: Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement. IACR Cryptology ePrint Archive 2014:985 (2014)
Acknowledgments
Research partially supported by the Spanish MINECO and FEDER under Project Grant TEC2014-54110-R.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Álvarez, R., Zamora, A. (2017). Using Spritz as a Password-Based Key Derivation Function. In: Graña, M., López-Guede, J.M., Etxaniz, O., Herrero, Á., Quintián, H., Corchado, E. (eds) International Joint Conference SOCO’16-CISIS’16-ICEUTE’16. SOCO CISIS ICEUTE 2016 2016 2016. Advances in Intelligent Systems and Computing, vol 527. Springer, Cham. https://doi.org/10.1007/978-3-319-47364-2_50
Download citation
DOI: https://doi.org/10.1007/978-3-319-47364-2_50
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47363-5
Online ISBN: 978-3-319-47364-2
eBook Packages: EngineeringEngineering (R0)