Client-CASH: Protecting Master Passwords against Offline Attacks

TL;DR

Client-CASH is a novel client-side hashing scheme that increases security against offline password attacks by randomizing key stretching runtime, reducing adversary success rates while managing legitimate user costs.

Contribution

The paper introduces a new randomized client-side key stretching method using halting predicates, formalizes its optimization, and demonstrates a significant security improvement.

Findings

Reduces adversary success rate by up to 21%

Introduces randomness in key stretching with halting predicates

Formalizes optimal runtime distribution under security and cost constraints

Abstract

Offline attacks on passwords are increasingly commonplace and dangerous. An offline adversary is limited only by the amount of computational resources he or she is willing to invest to crack a user's password. The danger is compounded by the existence of authentication servers who fail to adopt proper password storage practices like key-stretching. Password managers can help mitigate these risks by adopting key stretching procedures like hash iteration or memory hard functions to derive site specific passwords from the user's master password on the client-side. While key stretching can reduce the offline adversary's success rate, these procedures also increase computational costs for a legitimate user. Motivated by the observation that most of the password guesses of the offline adversary will be incorrect, we propose a client side cost asymmetric secure hashing scheme (Client-CASH). Client-CASH randomizes the runtime of client-side key stretching procedure in a way that the expected computational cost of our key derivation function is greater when run with an incorrect master password. We make several contributions. First, we show how to introduce randomness into a client-side key stretching algorithms through the use of halting predicates which are selected randomly at the time of account creation. Second, we formalize the problem of finding the optimal running time distribution subject to certain cost constraints for the client and certain security constrains on the halting predicates. Finally, we demonstrate that Client-CASH can reduce the adversary's success rate by up to $21\%$. These results demonstrate the promise of the Client-CASH mechanism.