CASH:
A Cost Asymmetric Secure Hash Algorithm
for Optimal Password Protection
Jeremiah Blocki
Anupam Datta
CSF 2016
(MSR/Purdue)
(CMU)
Motivation: Password Storage
jblocki, 123456
Username
Salt
Hash
jblocki
89d978034a3f6 85e23cfe0021
f584e3db87aa
72630a9a234
5c062
SHA1(12345689d978034a3f6)=85e23cfe
0021f584e3db87aa72630a9a2345c062
+
2
Offline Attacks: A Common Problem
• Password breaches at major companies have affected millions of
users.
Key Stretching
Hash Function
Cost: C
H
Hk
Memory Hard Functions
…
Hash Iteration
A Fundamental Tradeoff
Increased Costs for Honest Party
A Fundamental Tradeoff
Is the extra effort worth it?
A Fundamental Tradeoff
Can I tip the scales?
Our Contributions
• A Stackelberg Game Model
• Analyze Password Cracking
• Quantify: Security Gains from Key-Stretching.
• Cost Asymmetric Secure Hash
• An optimal way to tip the scales
• Empirical Evaluation
• Yahoo! and RockYou password frequency data
• 50+% reduction in cracked-passwords in selected instances
A Key Observation
password
12345
letmein
abc123
….
……
password
unbreakable
unbr3akabl3
….
……
Most guesses are
wrong
A Key Observation
password
12345
letmein
abc123
….
……
password
unbreakable
unbr3akabl3
….
……
unbr3akabl3
unbr3akabl3
unbr3akabl3
unbr3akabl3
….
unbr3akabl3
Most guesses are
correct
A Key Observation
password
12345
letmein
abc123
….
……
password
unbreakable
unbr3akabl3
….
……
Goal Asymmetry: COST > COST
unbr3akabl3
unbr3akabl3
unbr3akabl3
unbr3akabl3
….
unbr3akabl3
Pepper [Manber96]
Pepper: t ∈ 1, … , 𝑚
jblocki, 123456
Username
Salt
Hash
jblocki
89d978034a3f
85e23cfe0021
f584e3db87aa
72630a9a234
5c062
SHA1(12345689d978034a3f6)=85e23cfe
0021f584e3db87aa72630a9a2345c062
Pepper [Manber96]
Pepper: t ∈ 1, … , 𝑚
jblocki, 123456
Username
Salt
Hash
jblocki
89d978034a3f
85e23cfe0021
f584e3db87aa
72630a9a234
5c062
SHA1(12345689d978034a3f1)
SHA1(12345689d978034a3f2)
SHA1(12345689d978034a3f3)
….
SHA1(12345689d978034a3f6)
Pepper [Manber96]
Pepper: t ∈ 1, … , 𝑚
jblocki, 1234567
E𝑡 <𝑚
Correct Cost
Incorrect Cost
Username
Salt
Hash
jblocki
89d978034a3f
85e23cfe0021
f584e3db87aa
72630a9a234
5c062
SHA1(123456789d978034a3f1)
SHA1(123456789d978034a3f2)
SHA1(123456789d978034a3f3)
….
SHA1(123456789d978034a3fm)
Stackelberg Game Model (Setup)
• Known distribution 𝑝1 ≥ 𝑝2 ≥ ⋯ ≥ 𝑝𝑁 over N passwords
pwd1,…,pwdN
• Successful login rate (𝛼)
• Probability that a user enters the correct password
• Parameters fixed by nature
• Password Preferences
• Human Memory/Typo Rate
Stackelberg Game Model
• Leader (Server)
• Selects pepper distribution 𝑝1 ≥ ⋯ ≥ 𝑝𝑚
• Selects hash cost parameter c
• Constrained by maximum server workload
• Amortized authentication costs (𝐶𝑚𝑎𝑥 )
𝑚
𝛼
𝑐 × 𝑡 𝑝𝑡 + 𝑚𝑐 1 − 𝛼 ≤ 𝐶𝑚𝑎𝑥
𝑡=1
Cost to reject pwd
Pr[wrong password]
Stackelberg Game Model (Defender)
• Leader (Server)
• Selects pepper distribution 𝑝1 ≥ ⋯ ≥ 𝑝𝑚
• Selects hash cost parameter c
• Constrained by maximum server workload
• Amortized authentication costs (𝐶𝑚𝑎𝑥 )
𝑚
𝛼
𝑐 × 𝑡 𝑝𝑡 + 𝑚𝑐 1 − 𝛼 ≤ 𝐶𝑚𝑎𝑥
𝑡=1
Pr[right password]
Cost if secret
pepper value is t.
Probability
pepper value is t.
Stackelberg Game Model
• Leader (Server)
• Selects pepper distribution 𝑝1 ≥ ⋯ ≥ 𝑝𝑚
• Selects hash cost parameter c
• Constrained by maximum server workload
• Amortized authentication costs (𝐶𝑚𝑎𝑥 )
• Model traditional (deterministic) password hashing?
• Simply set 𝑝1 = 1 and c = 𝐶𝑚𝑎𝑥
Stackelberg Game Model (Adversary)
• Follower (Untargeted Adversary)
• Faces new distribution over (password,pepper) pairs
𝜋1 , … , 𝜋𝑁𝑚 = 𝐒𝐎𝐑𝐓 𝑝1 , 𝑝2 , … , 𝑝𝑁 × 𝑝1, … , 𝑝𝑚
×
Stackelberg Game Model (Adversary)
• Follower (Untargeted Adversary)
• Faces new distribution over (password,pepper) pairs
𝜋1 , … , 𝜋𝑁𝑚 = 𝐒𝐎𝐑𝐓 𝑝1 , 𝑝2 , … , 𝑝𝑁 × 𝑝1, … , 𝑝𝑚
• Action: Selects a budget B
• Guess B most likely (password,pepper) values
Stackelberg Game (Adversary Rewards)
• Adversary
• Expected Reward - Expected Guessing Cost
𝐵
𝑈𝐴 𝐵, 𝑐, 𝑝 = 𝑣
𝐵
𝜋𝑖 −
𝑖=1
𝐵
𝜋𝑖 𝑐 × 𝑖 − 𝑐𝐵 1 −
𝑖=1
Probability i’th guess is correct
Adversary value for cracked password
𝜋𝑖
𝑖=1
Stackelberg Game (Adversary Rewards)
• Adversary
• Expected Reward - Expected Guessing Cost
𝐵
𝑈𝐴 𝐵, 𝑐, 𝑝 = 𝑣
𝐵
𝜋𝑖 −
𝑖=1
Cost if i’th
guess is correct
𝐵
𝜋𝑖 𝑐 × 𝑖 − 𝑐𝐵 1 −
𝑖=1
𝜋𝑖
𝑖=1
Probability adversary fails
Cost on Fail
Stackelberg Game (Adversary Rewards)
• Adversary
• Expected Reward - Expected Guessing Cost
𝐵
𝑈𝐴 𝐵, 𝑐, 𝑝 = 𝑣
𝐵
𝜋𝑖 −
𝑖=1
𝐵
𝜋𝑖 𝑐 × 𝑖 − 𝑐𝐵 1 −
𝑖=1
• Rational Adversary Action
𝜋𝑖
𝑖=1
Fixed by defender in advance
𝐵 ∗ = argmax 𝑈𝐴 𝐵, 𝑐, 𝑝
𝐵
Stackelberg Game (Defender Rewards)
𝐵
𝑈𝐷 𝐵, 𝑐, 𝑝 = 1 −
𝜋𝑖
𝑖=1
Probability adversary fails
Stackelberg Game (Defender Rewards)
𝐵
𝑈𝐷 𝐵, 𝑐, 𝑝 = 1 −
𝜋𝑖
𝑖=1
Feasible Defender Moves
Rational Defender Action:
Assume adversary responds optimally
𝑐 ∗ , 𝑝∗ = argmax 𝑈𝐷 argmax 𝑈𝐴 𝐵, 𝑐, 𝑝 , 𝑐, 𝑝
𝑐,𝑝 ∈𝐹
𝐵
Problem Statement
max 𝑈𝐷 𝐵∗ , 𝑐, 𝑝
𝑐,𝑝
such that:
1. 𝑚
𝑖=1 𝑝𝑖 = 1,
Valid pepper distribution
2. 0 ≤ 𝑝𝑖+1 ≤ 𝑝𝑖 ∀𝑖,
Amortized Authentication
𝑚
3. 𝛼 𝑖=1 𝑐 × 𝑖 𝑝𝑖 + 𝑚𝑐 1 − 𝛼 ≤ 𝐶𝑚𝑎𝑥
Costs are Small Enough
∗
4. 𝐵 = argmax 𝑈𝐴 𝐵, 𝑐, 𝑝
Adversary plays rationally
𝐵
A Challenge
• Optimization Problem is inherently non-convex
• Culprit
𝐵∗ = argmax 𝑈𝐴 𝐵, 𝑐, 𝑝
𝐵
• Heuristic Relaxation:
• Assume we know the adversary budget B
• Can drop non-convex constraint, and solve.
Heuristic Solution
• Solve Relaxed Goal for many fixed budgets (B1,B2…,)
• Obtain Candidate Solutions: ℂ = (𝑐1, 𝑝1), 𝑐2, 𝑝 , …
• Pick the best candidate solution
max 𝑈𝐷 𝐵∗ , 𝑐, 𝑝
𝑐,𝑝 ∈ℂ
such that:
𝐵∗ = argmax 𝑈𝐴 𝐵, 𝑐, 𝑝
Adversary plays rationally
𝐵
Only need to check ℂ possible solutions
Heuristic Solution
• Solve Relaxed Goal for many fixed budgets (B1,B2…,)
• Obtain Candidate Solutions: ℂ = (𝑐1, 𝑝1), 𝑐2, 𝑝 , …
• Pick the best candidate solution
max 𝑈𝐷 𝐵∗ , 𝑐, 𝑝
𝑐,𝑝 ∈ℂ
such that:
𝐵∗ = argmax 𝑈𝐴 𝐵, 𝑐, 𝑝
𝐵
Easy to compute for fixed 𝑐, 𝑝
Adversary plays rationally
Results
Yahoo! Frequency data [B12,BDB16]: https://figshare.com/articles/Yahoo_Password_Frequency_Corpus/2057937
Robustness
Our Contributions
• A Stackelberg Game Model
• Analyze Password Cracking
• Quantify: Security Gains from Key-Stretching.
• Cost Asymmetric Secure Hash
• An optimal way to tip the scales
• Empirical Evaluation
• Yahoo! and RockYou password frequency data
• 50+% reduction in cracked-passwords in selected instances
Thanks for Listening