#48241 support SHA3 for passwords, other crypto

Created 3 years ago by rmeggins
Modified 2 years ago

NIST announces FIPS 202 (the SHA-3 Standard) and FIPS 180-4 in the
Federal Register today. Please see the Federal Register
Noticehttps://federalregister.gov/a/2015-19181 for details and for
NIST's comment resolutions for DRAFT FIPS 202 and DRAFT FIPS 180-4.

Should probably stay ahead of the game instead of waiting until a customer asks us if we support SHA3.

An interesting discussion point here is that SHA3 is intended to be fast on hardware. This is in fact a detriment to password storage. Some attacks rely on being able to quickly generate many SHA3 sums based on inputs (ie dictionary list, rainbow table). As a result, being fast may make an attackers job easier to bruteforce. This is where #397 is something I think is better to pursue for our next default hash mechanism as they enforce higher time and memory complexity. This means an attacker that is able to compromise the system (theoretically: We would of course react to any DS compromise swiftly) would not as easily be able to attack the hashes.

Here are some numbers from my Python hash benchmark (sha3 from KeccekCodePackage with SSE optimizations):

{{{
CPU: Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz
256 times 1 MiB random data

_hashlib.openssl_md5 708 MiB/sec
_hashlib.openssl_sha1 1014 MiB/sec
_hashlib.openssl_sha512 676 MiB/sec
_sha3.sha3_224 322 MiB/sec
_sha3.sha3_256 302 MiB/sec
_sha3.sha3_384 232 MiB/sec
_sha3.sha3_512 161 MiB/sec
}}}

I assume that sha3 in dedicated hardware is almost a magnitude faster than in software. This performance discrepancy favors attacks. I would rather recommend scrypt or argon2.

As per cheimes comment, and other input from cryptographers, I believe it is incorrect for us to support SHA3 as a password hashing mechanism. I will close this as wontfix. We should focus on key derivation functions such as in #397.

2 years ago

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 1.3.6 backlog

Login to comment on this ticket.

Security - General

1.3.0

QE

enhancement

cancel