Saturday, March 05, 2016

[cwendeks] KDF of multiple difficulties

Let the time it takes to verify a correct password be a function of how long it has been since the last successful password entry.

After a successful password entry, the computer hashes the password with key derivation functions of various numbers of iterations, and stores the hashes in memory.  Over time, it forgets the easier (quicker) hashes.  It could also forget the easier hashes on each unsuccessful password attempt.  The intended application is screen unlock for mobile phones.  The only hash stored on disk is the most time-consuming one, which will cause bootup time to increase but should be rare.

Goal is to improve Android, which relies on the same PIN for full disk encryption and screen unlock.  FDE is protected by a slightly time-consuming KDF (though not time-consuming enough IMHO), but screen unlock is instantaneous.  An attacker can brute force the PIN more quickly by keeping the phone turned on, assuming mechanisms for limiting the number of attempts are not present or have been subverted.  Of course, any method to subvert limits on the number of attempts, e.g., side-loading an operating system patch, could also disable the mechanism to forget easier hashes.

No comments :