SQRL's SCrypt variation - what the point?

SHA256 is vey secure. If you could crack a single round of SHA256 you 
could crack someones bitcoin wallet, bittorrent sync account or 
whatever. We also know that in order to crack just 128 bits you need 
more supercomputers than will fit on earth to work more than the 
lifetime of the universe etc. you know the drill.

The only reason we ever invented salts, chained algorithms like bcrypt 
and memory hard algorithms like scrypt is because we (often) are 
encrypting passwords.

The thing about passwords is that we know people (my mom) is bad at 
chosing high entropy passwords and we want to protect her even if her 
password is "monkey123".

In other words, if your input space is very small (as in the case with 
passwords) you need to constrain the time needed to brute force through 
the possible inputs.

If your input space is large this is simply not the problem.

In the case of bitcoins, bittorrent sync and yes - SQRL - you input is 
not a low entropy password but a high entropy random number. This makes 
the whole scrypt-approach moot.

Sure it increases the theoretical cracking time by adding a few extra 
(time) constraints to the hash function but it would be infinite more 
secure just to use a single unsalted round of SHA512. (not that it's an 
issue anyway).

A single unsalted round of SHA512 is more secure than this scrypt-
approach unless you can build a machine which can crack 256 bits in less 
than a minute.

But my main point is not that you should use SHA512, but just abandon 
scrypt, due to the added complexity, unless you are hashing low entropy 
data like passwords.

I'm unsure of this has been discussed before but I would like to hear 
some thoughts :)

best

Mikkel
0
Mikkel
2/18/2014 3:29:44 PM
grc.sqrl 459 articles. 0 followers. Follow

5 Replies
376 Views

Similar Articles

[PageSpeed] 48

On 2/18/2014 10:29 AM, Mikkel Nielsen wrote:
> A single unsalted round of SHA512 is more secure than this scrypt-
> approach unless you can build a machine which can crack 256 bits in less 
> than a minute.
> 
> But my main point is not that you should use SHA512, but just abandon 
> scrypt, due to the added complexity, unless you are hashing low entropy 
> data like passwords.

I imagine that others with more expertise will have more to say than I,
but your point seems valuable here as some of us have been fretting over
this Emergency Code for far too long *g*.

I think many posters have had thoughts similar to your own, but you've
stated it in a different way.  Though I have no irons in this fire, I
have tended to argue that our whole purpose for using EnScrypt on the
"Backup Access Code", now Emergency Code, is to /allow/ reduced entropy
in the input.  I claimed that anything greater than 64 bits was
sufficient as we were "using" EnScrypt to harden an input which is
already stronger than practically every human-generated passcode in use.

One reason for our debate was precisely the point that this
computer-generated code was not prone to readily available rainbow
tables so long as we chose a good hash and used a salt, /both of which
we are now doing/.  However, I don't recall anyone suggesting that we
take Scrypt out of the equation and simply use a "fast" hash
sufficiently large to preclude attack.

It is absolutely the case that slow hashes are intended for
*human*-generated codes.  This has been our hang-up on this issue, in my
opinion, though I'm not certain how our "slow" hash compares to SHA256
or SHA512 in terms of protection.  I do think there is some value in
having a memory-hard hash in between a /relatively/ short code and our
encryption chain, but a number of us have pointed out that the Emergency
Code is already well into "overkill" terrain.

SHA512?  Well, I'll have to let others address that issue.  If we are
trying to slay all dragons, why not pass the Emergency Code through
Scrypt, SHA3, /and/ SHA512?  We'd then get the vulnerabilities and
protections of all of them *g*.

In terms of the needless complexity of Scrypt, all SQRL clients are
already going to need EnScrypt implementations in order to deal with the
Operating Authentication Password, so it seems to me that using SHA512
on the Emergency Code actually /adds/ complexity rather than reduces it.
 It's not hard to find an appropriate implementation SHA512, but it's
yet another gadget to add to the client.

-- 

 RobAllen
_____________________________________________________
0
RobAllen
2/18/2014 7:36:25 PM
Mikkel Nielsen was heard to say :

Just to answer your question:
    SQRL's SCrypt variation - what the point?

The point is: "time".

Brute forcing gets absurdly long when you increase the time needed for each 
test of breaking the password.

> SHA256 is vey secure.

Indeed it is, but OCB works only with 128 bit keys (AFAIK).

> The only reason we ever invented salts, chained algorithms like bcrypt
> and memory hard algorithms like scrypt is because we (often) are
> encrypting passwords.

And a "kind of" password is what is being processed in scrypt (the emergency 
code). But I'll happily agree that it does not need to be any longer than 15 
chars:
      http://www.grc.com/groups/sqrl:5103
      http://www.grc.com/groups/sqrl:5179


> If your input space is large this is simply not the problem.

Sure, of course, I agree.


> A single unsalted round of SHA512 is more secure than this scrypt-
> approach unless you can build a machine which can crack 256 bits in less
> than a minute.

That is not a clear cut conclusion, IMO, but I understand your intent.
 
> But my main point is not that you should use SHA512, but just abandon
> scrypt, due to the added complexity, unless you are hashing low entropy
> data like passwords.

The "Emergency Code" seems to be something in the range of 20 decimal 
digits, so, in a sense, it is a "low entropy password", again, IMO.

> I'm unsure of this has been discussed before but I would like to hear
> some thoughts :)

Oh, yes, it has been.  :-)

-- 
Mark Cross @ 02/18/2014 6:23 p.m.
Fear is the foundation of most governments. — John Adams

0
Mark
2/18/2014 10:35:02 PM
RobAllen was heard to say :

> SHA512?  Well, I'll have to let others address that issue.  If we are
> trying to slay all dragons, why not pass the Emergency Code through
> Scrypt, SHA3, /and/ SHA512?  We'd then get the vulnerabilities and
> protections of all of them *g*.

Hey !! That is an excellent idea, let's do it     *g*

-- 
Mark Cross @ 02/18/2014 6:35 p.m.
Work harder: millions on welfare depend on you.

0
Mark
2/18/2014 10:36:24 PM
On 2014-02-18 7:29, Mikkel Nielsen wrote:
[...]
> But my main point is not that you should use SHA512, but just abandon
> scrypt, due to the added complexity, unless you are hashing low entropy
> data like passwords.
>
> I'm unsure of this has been discussed before but I would like to hear
> some thoughts :)

There are a few different places where hashing/stretching algorithms are 
used.

1) The "recovery code" which will be generated by the SQRL application, 
at least in Steve's implementation, and is used to generate a key to 
encrypt the IUK (a key used to allow users to change their login 
credentials). Currently, the thinking is for this key to be short-ish, 
compared to the key size, and be stretched by SCrypt

2) The user's password, which protects their MK. The MK is the part that 
is used to derive a unique for each user on each site. This password is 
chosen by the user, so is currently stretched by SCrypt to derive a key 
that encrypts the MK

3) Lastly, the MK itself is transformed into a site-specific key using 
SHA-256-HMAC

I think (2) and (3) are definitely using the correct algorithms.

For (1), the algorithm that is optimal to use depends on how strong the 
derived encryption key will be and how difficult we plan entering the 
code to be. Given the infrequency where this code will be used, my 
inclination is towards longer recovery codes. Though since SCrypt is 
unarguably (unless this is the use of SCrypt you disagree with?) a good 
idea for (2), it will already be in the code-base for SQRL 
implementations that wish to be compatible with GRC's export format, 
this isn't really a strong argument to discontinue the use of SCrypt.

Regards,
Sam
0
Sam
2/19/2014 12:15:05 AM
[for the unabridged version, see Mikkel Nielsen's post above]

Mikkel,

To summarize what the others have said, BOTH of our uses of 
Scrypt (iterated as "EnScrypt" to consume more time) take a 
lower entropy input and stretch it into a larger destination 
keyspace.  So the use of time-consuming stretching seems 
warranted.

The need for this with user-chosen passwords is clear, since 
we'll have little to no control over what they choose.

The need for this is less clear in the case of the system-chosen 
24-digit "Rescue Code", since it will be a maximum entropy value 
to begin with. But even here we'll be stretching an effectively 
80-bit value into a 256-bit encryption key... so it DOES make 
sense to retard any brute-forcing of that mapping.  Also, we 
care HUGELY about its safety since it protects the user's 
identity root key. It is also needed very infrequently, if 
ever... so adding some computational time to it has nearly no 
impact upon the user's experience.  And... since we already
have Scrypt present in the client for protecting the user's
low-entropy password, reusing it incurs little added development 
burden.

If you haven't see this page recently, it makes these 
relationships more clear: https://www.grc.com/sqrl/key-flow.htm

Given this, you likely understand that the use of SHA512 in this 
context wouldn't buy us anything.  We use SHA256 throughout 
since all of our ciphers used 256-bit keys.

(Thanks for making sure we had examined all of this. We have... 
past the point of exhaustion!)

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/19/2014 6:08:44 PM
Reply:

Similar Artilces:

SQRL's Scrypt Algorithm page is public.
Gang... https://www.grc.com/sqrl/scrypt.htm It turned out to be somewhat more tutorial than I originally planned, but since I can see this solution having widespread application well beyond SQRL's need I figured I'd invest the time now. -- ________________________________________________________________ Steve. Working on moving the SQRL project forward. On Fri, 24 Jan 2014 10:20:56 -0800, Steve Gibson wrote: > Gang... > > https://www.grc.com/sqrl/scrypt.htm > > It turned out to be somewhat more tutorial than I originally planned...

Replace 1's and 0's in a gridview column with Yes's and No's
Is it possible to change the display of a column in a gridview to show a Yes for all 1's and a No for 0's that display in a particular column of a gridview bound to a database?  If so, can someone share the way with me?  I am using ASP.NET 2.0 with VB Code Behind.  Thanks One way you can do is thrrough  CASE in your select statement: Select YesNoColumn= CASE yourColumn WHEN 1 THEN 'Yes' WHEN 0 THEN 'No' ELSE '' END FROM YourtableLimno <Columns>     <asp:TemplateField HeaderText="yourHeader" SortExpression="yourDataField"> ...

It's Linux !? No, it's BSD ! No, no, it's...
kFreeBSD http://wiki.debian.org/Debian_GNU/kFreeBSD a Debian distro using the FreeBSD kernel ! ObiWan wrote: > kFreeBSD > > http://wiki.debian.org/Debian_GNU/kFreeBSD > > a Debian distro using the FreeBSD kernel ! Why use a BSD kernel? I hope the reason is more than, just because they can. http://wiki.debian.org/Debian_GNU/kFreeBSD_why It's easy to understand why the would want to use Debian packages. :) -- Jimmy Johnson Registered Linux User #380263 >> kFreeBSD >> >> http://wiki.debian.org/Debian_GNU/kFreeBSD >> ...

Create a DIV's property that points other's object property...
Hi, I have a DIV object. I want to create a property type pointer, that points to a other's object property. For example: I want add a property SelectedIndex to a DIV object. This property must points to the property SelectedIndex of another combo object. In other words. I want that if the combo's property change its value, the property in the DIV object must be changed too. I want the same in the reverse direction. I don't want to use the onchange of the combo objet. I want that if we interact with the combo's property in script, the changes should be reflected in the DIV's...

How to monitor Addon's behavior from browser's point of view
Hello Friends I am creating firefox patch where I need to monitor addon if it tries to access/track user specific data such as history or cookie in private browsing. In case if any addon is doing that then browser should give prompt msg that [ ex. abc addon ] addon is accessing history/cookie. To do so I need to add module [Ex. XPCOM module ] to firefox to monitor behavior of addons. But I don't know which part of browser is responsible to give response to calls from addons. In all, I [browser] want to know when ever addon call function to access history or cookie. Is it ...

Help! I cannot access the DataGrid's ItemTemplate's LinkButton's Text Atrribute 's Value!!!!!!!!!!!
I write a datagrid's ItemDataBound method as follows:   private void dgTable_ItemDataBound(object sender, System.Web.UI.WebControls.DataGridItemEventArgs e)  {   if(e.Item.ItemType == ListItemType.Item || e.Item.ItemType == ListItemType.AlternatingItem)   {    if(!isRole("Manager"))    {     LinkButton tmp = (LinkButton)e.Item.FindControl("lbPassed");     if(tmp.Text == "Passed")     {      ((LinkBu...

SQRL's Unambiguous Character Set
Gang... Here's the "disambiguated" set of 64 characters I propose: ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789<>+$?@!# From the alphanumeric range I've removed: O o 0 1 I l And added the most "familiar" special and distinct characters to round up the count to 64. We still have a TON of additional special characters available, so more alpha chars could be tossed to the curb if that seems warranted. For example, are 'u' and 'v' (and 'U' and 'V') too similar? The project does need to settle upo...

SQRL's Identity Lock Protocol
Gang... Sorry this took so long. The accompanying text grew a bit longer that I expected, though I'm VERY happy with the way it has come together. Even after designing a new easy-to-implement secure, lightweight protocol, I was still not 100% sold on the need for it. But I decided that I would make that decision AFTER the solution was fully known and understood so that it's cost and "weight" could be known. The thing that cinched it for me, which you'll read in the "why SQRL has this" orientation text, was the idea that we're really ...

The lazy man's SQRL app
A SQRL app that "works" (i.e. logons you on), but without requiring an identity password to unlock your master key, etc. Na�ve users will think they are secure. How can that situation be reduced? We all work together to make an individual "official" app instead of having MANY people working on their own. -- James Coleman Mr. Gecko's Media > "James Coleman" wrote in message news:l2ot6a$27vm$1@news.grc.com... > We all work together to make an individual "official" app instead of > having MANY people working on their ow...

Hyperlink's, ImageURL's, and OnError's
I created an ASP:Hyperlink and set the ImageURL attribute so the link will be the image.If the image is missing, I would like it to display a 'missing image' pic that I have.  I know you can use the OnError attribute of the <img> tag to run some javascript to change it.Unfortunately I can't find a way to access the Hyperlink's Image that is inside it, so I can add an Attribute so the resulting <img> tag will have an OnError attribute inside of it.Any help?If my Hyperlink is called 'foo'....would I do...  ((Image) foo.Controls[0]).Attributes.Add(&...

A quick note about SQRL's HTTP protocol
Gang... Since operating features will drive the communications protocol, I have been wanting to wait until the operational feature set is nailed down before than designing the detailed protocol for implementing it. I think that the various templates people are assembling are terrific. With the expanded set of services defined for the v1 system, e.g. identity locking, unlocking, and migration, it is no longer feasible for us to hang our increasing number of arguments onto the end of the SQRL link and only place the signatures in the POST's body. So this proposal leave...

A note to those implementing SQRL's EnScrypt function
I am currently working on the "SQRL's use of Scrypt" page. I've had a few interesting revelations while authoring that page. Some are obvious in retrospect... but then what isn't? For example, one is that a user would be best protected by exporting their various keys for backup under the FASTEST available platform they have available. That would yield more iterations per second and, given a fixed password encryption time... result in more iterations. At the same time, since all SQRL clients should allow their users to set the password encryption tim...

Point to line's intersect point to end point length
I have computed the distance from a point to a line using matrix vector cross product. What's the best way to get the distance from intersect point to end point on the line? Using parts of the cross product computation, or compute length to end point also and solve it with pytagoras? Looking for the solutions with less computation. If I can use parts of the cross product computation, could you explain how this could be done easy. Kind regards, Atle Using the coordinate of intersection in the matrix equation: x = x1 + u (x2 - x1) y = y1 + u (y2 - y1) will still prod...

DataSet's DataTable's and TableAdapter's Oh My!
Here is my situation.  I am using VB as my programming language.I am creating a part of a website that will be the admin section.  I want the admin to be able to add/edit data in a set of tables that normal users can't.  There are 20 lookup tables that I use in the website that I want the admin to be able to manage (i.e. add, edit, delete, insert).  I don't want to create 20 separate web pages (one for each table).  I have one page that has links to all the tables.  Each link has a "table" querystring variable associated with it.  When the...

Web resources about - SQRL's SCrypt variation - what the point? - grc.sqrl

Resources last updated: 1/4/2016 2:49:46 AM