Initiative to develop new methods of password hashing

Posted: February 18, 2013 in Articles, IT Security News
Tags: , , ,

password hashingThe competition Password Hashing Competition (PHC) an attempt to identify new password hashing schemes to encourage engagement of reliable schemes for protecting passwords.

The current state of password protection is assessed as unacceptable – web-services often store user passwords in clear text or use unreliable methods of hashing, such as MD5 or SHA-1, for which effective methods of password guessing.

Of the standards forming password-based key is available only PBKDF2 (PKCS # 5, NIST SP 800-132), and of alternative implementations allocate only bcrypt and scrypt. These systems are not without drawbacks and in the community soar ideas for new methods of hashing, but these initiatives are scattered and random. The competition is intended to inspire PHC stakeholders and make their work popular and intelligent character.

Methods of competition are based on the principles used in the cryptographic contests as AES, eSTREAM and SHA-3. Work to participate will be accepted until January 31, 2014, and then begin the analysis stage of the proposed works and to determine the most optimal solutions. In the third quarter of 2014 will be announced the finalists of which up to the second quarter of 2015 will be allocated one or more winners.

The technical requirements of the tender for the work indicated at least support for password hashing in size from 0 to 128 characters, use 16-byte salt and possibility of controlling the parameters of the algorithm in terms of speed and memory consumption. Reference implementations should be prepared in C or C + +, allowed to use the standard library functions libcrypto (eg, AES implementations or SHA-256). Methods should not be borne by the patented technologies and should be distributed without restrictions and conditions which do not require royalty payments.

The criteria for evaluation states:

Safety: collision-resistant, random-looking output, the inability to reverse the conversion, the inability to obtain information about the nature of the password through the analysis of hash brute force confrontation, difficulty threading selection, resistance to acceleration of selection using ASIC, FPGA and GPU;
Simplicity: general scheme of clarity, ease of implementation (from the perspective of coding, testing, debugging, and integration), the minimum reference to external entity or structures;
Functionality: effectiveness from the point of tuning parameters, the ability to change the settings (speed and memory consumption) for the existing hash without a password.

Password Hashing Competition:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s