Documentation

Fields

• g3pSalt_seguid :: !HmacKey

  usable as a high-repetition indirect tag via self-documenting globally unique identifiers (seguids)

• g3pSalt_longTag :: !ByteString

  plaintext tag with 1x repetition, then cycled for roughly 8 kilobytes which is used as filler padding after the password.

  This is typically duplicated as the g3pSeedInputs_bcryptLongTag parameter, which provides a very large number of cryptoacoustic repetitions. If this step is not taken, then this parameter can be discarded after the first call to HMAC is complete, making it essentially horn-loaded which would be a bit of an anomaly for this input block.

  The first 0-63 bytes is also used as filler padding after the contextTags, possibly making part of this parameter not horn-loaded.

  Constant time on inputs 0-4095 bytes. Overages incur one sha256 block per 64 bytes, rounded up.

• g3pSalt_contextTags :: !(Vector ByteString)

  plaintext tags with 4x repetition. Constant-time on 0-63 encoded bytes, which includes the length encoding of each string. Thus 60 of those free bytes are usable if the tags vector is a single string, or less if it contains two or more strings. The empty vector is a good default choice here.

  Overages incur four sha256 blocks per 64 bytes.

  This parameter is notable because it is the least expensive purely auxiliary input that is not horn-loaded. Thus if you want a very long salt input that provides a bit of extra collision resistance, this would be a logical candidate input location to consider.

  If your deployment uses a random salt per account, this is an ideal location in which to place a copy of that salt. This is also a reasonable location for salts derived from hashed usernames.

  If your deployment uses a plain login name as the username salt, by including it here your deployment would then require that anybody who can crack the password must know the login name.

  This would be a highly atypical deployment design decision. In most contexts, it would seem to be better to omit plaintext login names from this parameter.

• g3pSalt_domainTag :: !ByteString

  plaintext tag with one repetition per PHKDF round. 0-19 bytes are free, 20-83 bytes cost five additional sha256 blocks plus one block per PHKDF round, with every 64 bytes thereafter incurring a similar cost.

  In the case of long domain tags, it is strategically advantageous to ensure that the first 32 bytes are highly actionable, as these bytes are commonly used as filler padding.

  This parameter provides domain separation. (also see the NIST glossary) A suggested value is a ICANN domain name controlled by the deployment.

  The name is also a bit of an homage to the "realm" parameter of HTTP basic authentication, which in part inspired the domain tag by inspiring the question "What would the realm parameter do if it did something useful?"

• g3pSalt_phkdfRounds :: !Word32

  How expensive will the PHKDF component be? An optimal implementation computes exactly two SHA256 blocks per round if the domain tag is 19 bytes or less, plus one block per round for every 64 characters over 19, rounded up.

  I recommend 20,000 rounds or so. You might consider adjusting that recommendation downward in the case of domain tags that exceed 19 bytes in length: 13,333 rounds of PHKDF with a domain tag that is 83 bytes long will cost exactly one SHA256 block less than 20,000 rounds of PHKDF with a domain tag that is 19 bytes long.

  Note that this cost comparison is exact only when looking at only the PHKDF key stretching phase. The G3P also computes a reasonably large but constant number of additional SHA256 blocks as part of it's initial HMAC-Extract operation, G3Pb2 alfa.

  Thus if you are tuning this parameter via empirical timing tests, the direct linear relationship between this parameter and time is approximate, not exact, due to a this reasonably large offset.

Fields

• g3pInputs_username :: !ByteString

  constant time on 0-293 bytes, or if the combined length of the username and password is less than about 4 kilobytes, or if the combined length of the username, password, and long tag is less than about 8 kilobytes.

  Using deployment-identifying seguids and domain tags makes it perfectly safe to put normalized plaintext login names here, as then this salt would then only need to be unique within a deployment.

  This approach comes with the cost that you will have to reliably perform username normalization everywhere this hash function is computed. Offering a server-side remote procedure call to perform this normalization is recommended.

  The G3P is intentionally designed to allow the plaintext username to be hidden from a password cracker via partial evaluation, preventing the cracker from immediately logging in if successful. However, this partial application doesn't apply any key-stretching, meaning that guessable login names can be cracked relatively quickly.

  Thus this approach is less of a defensive line and more of a "sand in the gears" tactic. It might also be useful as a legal damages enhancement strategy against unauthorized password crackers who fail to take this step to help protect users' privacy.

  Even better, apply key-stretching to the plaintext login name, possibly via another call to the G3P, and duplicate that derived salt in the g3pInputs_username and g3pSalt_contextTags parameters, and inside the role parameter of G3PSprout.

  This repetition of an account's salt ensures that any collision that happens between accounts must occur quite late. Even if a cryptographically non-trivial collision happens before the repetition, the account's salt will push the output hashes apart once again.

  Including the account's salt in either the echo key or echo tag parameters implies a cryptographically non-trivial collision must happen on the very last HMAC call that generates any output block, and that must happen on every output block.

  Disconnecting login names from publicly-facing screen names can represent a significant upgrade of "sand in the gears" to something resembling a proper defensive line, though this disconnection can also benefit any approach.

  For another upgrade, using a random salt per acccount has the potential to be a far more meaningful defensive line. This brings the advantage of completely disconnecting public salts from login names, except by talking to (or compromising) a salt server.

  In a rare alignment of interests, this can serve both legitimate deployments and the password hash thieves that attack them. Some thieves will want to be able to outsource password cracking work without giving successful crackers an opportunity to log in, and this makes it easier for the thief to securely withhold the login name from the cracker.

  The cost is that in typical client-side prehashing scenarios, a salt server will have to reveal the actual salt for arbitrary accounts to arbitrary members of the public. This has the potential to leak information about the (non-)existence of accounts and to leak information about recent account activity.

  Of particular concern is providing reidentification hooks that enable deanonymization attacks. Though I don't exactly understand how a public-facing salt server could become such a hook, it's also something that seems possible.

  This issue could be largely mitigated by ensuring your salt server is capable of handing out convincing nonsense that is consistent over time. The server does not even need to remember every fake salt you've ever handed out. For example, the server could generate a fake salt by hashing a normalized version of the nonexistent login name with a secret key.

  If you are running a sufficiently sensitive identity service to justify the additional complexity and ongoing operational costs, running a salt server seems very much worthwhile.

  One reason is that when a password hash is stolen, having a login name in its derivation can be a reidentification hook without even needing to talk to a server. On the other hand, salt derived from a login name seems far preferable to a poorly implemented salt server.

  A poorly implemented server can become a toehold for attackers to get inside your infrastructure, and has the potential to leak whether or not an account exists, possibly even to the general public. Account existence can itself be an extremely juicy reidentification hook, and querying a public server doesn't require stealing password hashes first.

  In a few specialized cases it might be possible to hide a random salt from members of the general public by requiring pre-authentication before the password can even be attempted. However, this cannot be a general-purpose solution, as passwords are one of the fundamental solutions to the problem of key management, and key management is the fundamental problem behind authentication.

  One might also supplement or replace any salt applied here with an oblivious pseudorandom function (OPRF) in your authentication flow, especially if password-authenticated key agreement (PAKE) is used.

  Through the magic of multiparty computation, it's possible to apply a salt that only the server knows to a password attempt that only the client knowns. However, OPRF cannot be directly integrated into the G3P, though the G3P should be an excellent choice for a key derivation function to prepare a password for OPRF.

  I see this choice of plain usernames versus random salts or possibly even none at all as a fairly fundamental tradeoff in the design of G3P deployments. I took the time to ensure that all are possible.

  In my estimation, of the approaches that I've started to sketch, deriving salts directly from plaintext login names in a public, non-secret way is the hardest to mess up badly.

  Implementing a salt server potentially enables signficant security advantages, but also represents additional complexity, operational expense, and itself creates additional attack surfaces and security risks.

  This decision has significant strategic consequences. I don't think there exists a one-size-fits-all solution, and there are quite a few ways to sensibly customize each approach. Any can be executed poorly, and any can be executed well. Pick your poison wisely.

• g3pInputs_password :: !ByteString

  constant time on 0-293 bytes, or if any of the other conditions are met.

• g3pInputs_credentials :: !(Vector ByteString)

  constant time on 0-282 encoded bytes. This includes variable-length fields that encode the bit length of each string; these fields itself require two or more bytes per string.

Fields

• g3pSeedInputs_bcryptSeguid :: !HmacKey

  Key to used to generate keys for bcrypt superrounds and to soak up the entropy from bcrypt's state at the end of each superround. Duplicating the g3pSalt_seguid is a good default choice.

• g3pSeedInputs_bcryptCredentials :: !(Vector ByteString)

  Used directly once to derive key0 for the first bcrypt superround, and indirectly affects every cryptographic operation after that.

  0-29 bytes are free. The length encoding for each bytestring needs to be included, thus 0-27 data bytes incur zero incremental cost if you encode everything in one string, or less if you use more than one string.

  Overages cost one SHA256 block per 64 bytes, rounded up. Thus, this is a horn-loaded parameter introduced after the phkdf key-stretching phase is complete.

  If some unusual deployment of the G3P accepts arbitrary external inputs into the bcryptLongTag, one possible way to handle this situation efficiently and safely would be to include the entire input in this parameter. This is not necessary if such a deployment duplicated the external input into both the g3pSalt_longTag and g3pSeedInputs_bcryptLongTag parameters.

• g3pSeedInputs_bcryptLongTag :: !ByteString

  Be aware this is truncated to (rounds + 1) * 4136 bytes, but length still matters after that. The primary intended use is to duplicate g3pSalt_longTag a very large number of times.

  Also be aware that nobody should trust this parameter with arbitrary, potentially hostile input that is selected after all of the other inputs to the bcrypt computation are known. There are, however, a large number of ways to avoid any potential issue, including:

  1. Ensuring that this input is fully commited to before looking at all of the other input parameters by convention, which is true in the primary intended use case as an extended plaintext salt for password hashing.
  2. Ensure that this input has been committed to by including the entirety of its contents in the derivation of at least one other input parameter. Note that duplicating g3pSalt_longTag is sufficient to meet this requirement. Including it somewhere in a G3PSalt parameter is highly recommended as it ensures that varying any part of this parameter is expensive as possible.
  3. Ensure that this input is 4287 bytes or less. Local HMAC computations ensure at least this many bytes are automatically committed to before the bcrypt key stretching is allowed to move forward.
  4. Ensure that this input has some kind, any kind, of recognizable pattern. If this input is a valid UTF8 encoding, it doesn't matter if the textual content is random gibberish. It's extremely doubtful that an attacker could achieve any particularly nefarious goal under this restriction.

  Note that any single one of these conditions should be sufficient to avoid problems, and that the primary intended use case for this parameter meets all of them. After all, the entire point of this parameter is to ensure the delivery of plaintext salts from authentication database deployments to password crackers.

  Failing all of that, there's still an attempt to make the G3P resistant to hostile inputs. Within each bcrypt round, the exact same longTag bytes are repeated four times in a combinatorial block design that ensures nonlinear effects.

  I wouldn't want to rely on this design feature of last resort without careful study, which is likely to suggest further improvements. Yet this hedge doesn't cost anything with respect to the intended use case, and seems plausibly strong in situations that fall well outside any intended use case.

  Regarding condition 2, any of the G3PInput parameters would also qualify. However, it would be rather silly to repeat the user's password here, as that would prevent the bcrypt key stretching computation from being securely outsourced to a semi-trusted device.

  Regarding condition 3, the actual size of a parameter that is fully committed to via baked-in hashing is likely more than 8192 bytes, but this would require further verification.

  The shortest plausible attack string would seem to need to be as long as the truncation limit, which is north of 16 megabytes if you specify the suggested 4000 rounds.

  Here, the attack model of concern is preventing any external input from affecting the final bcrypt state in any way that's better than a multiplicity of fair coin flips.

  Failing to fully commit to the bcrypt long tag up-front potentially allows external input to tweak the final result without redoing the entirety of the key-stretching computation, even if the desired fairness property is ensured.

  This final bcrypt state is then consumed as part of an HMAC message. This outer HMAC provides the next line of defense against this type of attack. This line of defense pretends this outer HMAC doesn't exist.

• g3pSeedInputs_bcryptContextTags :: !(Vector ByteString)

  Also used to derive super round keys for bcrypt. 0-63 encoded bytes are free, meaning that 60 bytes impose zero incremental cost if you encode everything into one string, or somewhat less if you use more than one string.

  Overages cost two SHA-256 blocks per 64 bytes per bcrypt superround.

  Leaving this empty is a good default choice. In particular, one should not default to duplicating anything between this parameter and the g3pSeed_contextTags parameter.

  For example, if your deployment uses a random account salt, or an account salt derived transparently from a login name, then it's a good idea to include that salt in the username and contextTags parameters, but exclude the plaintext of that salt from bcryptContextTags.

  This use of an account salt implies that if some or all of the bcrypt computation is outsourced to another device, that device cannot break the password without knowing the salt, or successfully guessing both the salt and password at the same time.

  Assuming simplest and most-intended outsourcing algorithm, directly including that account salt in the bcryptContextTags vector would require that the plaintext of this salt be known to the device performing the key-stretching computation, thus automatically obviating this possible line of defense.

  If one is absolutely set on including that random salt here, one could hash the salt first to derive a new salt that cannot itself be used to crack the password. What things are forgotten and when are important details in cryptographic processes, and these choices have strategic implications.

  Alternatively, one could implement the G3P using a more sophisticated outsourcing algorithm. This would require interactive communication every transition between bcrypt superrounds. By contrast, the design intension is to be able to treat outsourcing bcrypt as (relatively) simple remote procedure call (RPC).

• g3pSeedInputs_bcryptDomainTag :: !ByteString

  Used to derive the keys for a super round in bcrypt-xs-ctr mode. Duplicating the g3pSalt_domainTag is a good default choice.

  0-19 bytes are free. 20-83 bytes and every 64 bytes thereafter impose a cost of two SHA-256 blocks per bcrypt superround.

• g3pSeedInputs_bcryptRounds :: !Word32

  How expensive will the bcrypt component be? 4000 rounds recommended, give or take a factor of 2 or so. Each bcrypt round is approximately as time consuming as 60 PHKDF rounds. Using the recommended cost, parameters, the cost should be dominated by bcrypt.

  The number of superrounds matters for some cost calculations. This is always ceiling ((bcryptRounds + 1) / 128).