i've been brainstorming on the different way to apply a KDF in a
"strong enough way" and i see that each approach has it's advantage
and disadvantages in terms of speed, in terms of FPGA/ASIC
protection, in terms of crypto primitives being used.
I'm wondering if it's smart or stupid to think/apply a
password-hashing system that apply multiple password-hashing schema
based on different cryptographic primitives in sequence, as a way to
force the attacker willing to FPGA/ASICize the bruteforcing process,
to need to implement multiple cracking infrastructure.
I don't have the cryptographic knowledge to design something on my
own, but i'm asking if "this approach" make sense.
Let's assume something like that, assuming that could take 10-20s on
a modern computer:
step0: 3s of scrypt
step1: 10.000 round of SHA256
step2: 10.000 round of SHA512
step3: 10.000 round of Whirpool (even if broken)
step4: 10.000 round of Blake2
step5 10.000 round of
step7: 10.000 round of HKDF (In WebCrypto API)
step6: 10.000 round of PKDF2 (in WebCrypto API)
Each single hashing algorithm and KDF functions provide a specific
set of protection against specific set of attacks.
An adversary that want to build ASIC or FPGA cluster, would really
require to build many specialized clusters rather than one very
focused cracking-cluster (ie: to attack SHA256).
A "Meta KDF" function like that could bring much more complexity on
the attacker side by requiring the attacker to employ multiple
attack vectors to attack the cryptosystem.
The approach previously described, from a real world attack scenario
perspective, does make sense as a "on steroid key-stretching"
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights