DKX Password Security Express is a library of functions that are used for protection of passwords by cryptographic hashing in salted, iterative key-derivation procedures. These procedures are used in password-based authentication procedures.
The function of DKX is to provide a cryptographic derivation of keys that cannot be used as a means for discovery of the password by other than costly brute-force password guessing methods. DKX procedures are designed to operate as fast as possible on commodity platforms yet with the time consumed by directed repetitive attacks on the password itself multiplied to a prohibitive cost.
There must be a balance between the cost of key generation and the cost of password authentication based on the circumstances in which a password is involved.
For example, when an authentication key is generated for use as a (potentially) plain-sight authentication value for a private password, the emphasis is on protection of the password, even though no valuable password is ever entirely safe to use under those conditions.
Alternatively, when an encryption key and related parameters are derived from a secret password, it is important to prevent any kind of replay of any derivative material and also ensure that the derived key is no easier to discover than the password itself. This case is handled by ensuring that the parameters are enough different and the procedure time-consuming enough that password-based authentication is of no support in an attack on password-based encryption. These measures are helpless against compromise of the password itself. They simply do not contribute any ammunition to a compromise of the password.
Finally, it is possible to employ the DKX procedures in private techniques by which password-based authentication does not use an authentication value that is directly related to a password. That is, there is a two-party procedure in which the authentication is not possible by any direct procedure, because part of the authentication material is held separately in a way that is resistant to brute-force repetitive attacks.
This project focuses on the development of proofs-of-concept DKX baseline implementations that can be verified against specified procedures for generation of cryptographically-random numbers, secure hash algorithms (viz. SHA1), message authentication procedures (viz. HMAC-SHA-1), and password-based key derivations (viz. PBKD2). The confirmed proof-of-concept implementations are a basis for worst-case performance characteristics.
The Express implementations are progressively faster and efficient versions that can be confirmed for accuracy and quality against the baselines. The performance gains can also be calibrated against the baselines and earlier versions. The use of optimized, custom techniques for the specific DKX usage profile is designed to resist brute-force repetitive attacks as those methodologies also become more efficient.
- Hamilton, Dennis E.
- DKX Password Security Express. nfoWorks devNote folio d120701 0.00, March 9, 2013. Accessed at <http://nfoWorks.org/dev/2012/07/d120701.htm>.
created 2012-07-07-14:43 -0700 (pdt)