3

With the advent of GPU-based computing, and now commoditized/dedicated SHA256 processors, what risk does this hardware pose to cryptography?

What security algorithms should be closely watched or upgraded?

makerofthings7
  • 50,488
  • 54
  • 253
  • 542

2 Answers2

8

Such hardware may make life more difficult for people who rely on PBKDF2 for password hashing. Password hashing functions are intentionally slow -- slow for the honest server and for the attacker alike. We want it to be as slow as is tolerable for the server which uses it, so that it becomes (hopefully) intolerably slow for the attacker.

The defendant's advantage in the password hashing game is the password complexity. The defendant wants a function which can be used to verify one password at a time, whereas the attacker must try millions or billions of them.

The attacker's advantages are:

  • Patience: the attacker can afford to spend two weeks cracking the password, while the defendant must verify a user's password within one second (users have no patience).
  • Money: the attacker's budget for hardware can exceed that of the defendant.
  • Parallelization: the attacker has many passwords to try and thus can fully benefit from hardware which can do parallel computations (e.g. clusters, GPU, or simply a bunch of PC momentarily "borrowed" from a University, in case the attacker is a bored student).
  • Specialization: the attacker can invest in specialized hardware (such as the ones you refer to) and thus get more hashing done per dollar invested than the defendant (because the defendant uses a server which must also do something useful besides verifying the passwords).

Specialized hardware which is good at SHA-256 is thus an advantage for the attacker, if the password hashing function uses SHA-256, of course. Some other password hashing functions (e.g. bcrypt and, even more so, scrypt) are more GPU-resilient and will offer a somewhat better protection, as long as nobody begins to mass-produce specialized bcrypt-cracking hardware, of course (e.g. the Virtex family of FPGA from Xilinx, which have embedded RAM blocks and can thus compute bcrypt quite efficiently). See this answer for a more detailed discussion.


Note that while SHA-256 specialized hardware makes it theoretically easier to attack SHA-256 upfront (building collisions, computing preimages...), the work factor for these attacks is still far away in the unfeasible zone. See this answer for some analysis.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
0

This lowers the time-cost tradeoff for brute forcing short passwords. I think this means you need to recalculate the cost to brute-force your settings. If the assets you are protecting are worth more than the cost to brute-force your current settings, you need to add more iterations, password complexity, or minimum length requirements.

How much does it cost to brute all 6-8 digit passwords in under 2 weeks? This definitely changes the economics and should affect how you protect your assets unless you already have a lot of margin.

Bradley Kreider
  • 6,182
  • 2
  • 24
  • 36