Pepper (cryptography)

In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module.[1] Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.

A pepper performs a comparable role to a salt or an encryption key, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately to prevent it from being obtained by the attacker in case of a database breach.[2] A pepper should be long enough to remain secret from brute force attempts to discover it (NIST recommends at least 112 bits).

History

The idea of a site- or service-specific salt (in addition to a per-user salt) has a long history, with Steven M. Bellovin proposing a local parameter in a Bugtraq post in 1995.[3] In 1996 Udi Manber also described the advantages of such a scheme, terming it a secret salt.[4] The term pepper has been used, by analogy to salt, but with a variety of meanings. For example, when discussing a challenge-response scheme, pepper has been used for a salt-like quantity, though not used for password storage;[5] it has been used for a data transmission technique where a pepper must be guessed;[6] and even as a part of jokes.[7]

The term pepper was proposed for a secret or local parameter stored separately from the password in a discussion of protecting passwords from rainbow table attacks.[8] This usage did not immediately catch on: for example, Fred Wenzel added support to Django password hashing for storage based on a combination of bcrypt and HMAC with separately stored nonces, without using the term.[9] Usage has since become more common.[10][11][12]

Types

There are multiple different types of pepper:

  • A secret unique to each user.
  • A shared secret that is common to all users.[2]
  • A randomly-selected number that must be re-discovered on every password input.[13]

Algorithm

An incomplete example of using a pepper constant to save passwords is given below.

UsernamePassword
user1 password123
user2 password123

This table contains two combinations of username and password. The password is not saved, and the 8-byte (64-bit) 44534C70C6883DE2 pepper is saved in a safe place separate from the output values of the hash.

UsernameHashing stringHash output value = SHA256 (Password + pepper)
user1 password123+44534C70C6883DE2D63E21DF3A2A6853C2DC675EDDD4259F3B78490A4988B49FF3DB7B2891B3B48D
user2 password123+44534C70C6883DE2D63E21DF3A2A6853C2DC675EDDD4259F3B78490A4988B49FF3DB7B2891B3B48D

Unlike the salt, the pepper does not provide protection to users who use the same password, but protects against dictionary attacks, unless the attacker has the pepper value available. Since the same pepper is not shared between different applications, an attacker is unable to reuse the hashes of one compromised database to another. A complete scheme for saving passwords usually includes both salt and pepper use.

Shared-secret pepper

In the case of a shared-secret pepper, a single compromised password (via password reuse or other attack) along with a user's salt can lead to an attack to discover the pepper, rendering it ineffective. If an attacker knows a plaintext password and a user's salt, as well as the algorithm used to hash the password, then discovering the pepper can be a matter of brute forcing the values of the pepper. This is why NIST recommends the secret value be at least 112 bits, so that discovering it by exhaustive search is prohibitively expensive. The pepper must be generated anew for every application it is deployed in, otherwise a breach of one application would result in lowered security of another application. Without knowledge of the pepper, other passwords in the database will be far more difficult to extract from their hashed values, as the attacker would need to guess the password as well as the pepper.

ペッパーは、ソルトとハッシュのデータベースにセキュリティを追加します。攻撃者がペッパーを入手できない限り、元のパスワードがどれほど弱いものであっても、ハッシュを1つでも解読することは不可能だからです。たとえ(ソルト、ハッシュ)ペアのリストがあったとしても、攻撃者はハッシュを生成するパスワードを見つけるために秘密のペッパーを推測しなければなりません。秘密ソルトのNIST仕様では、承認された疑似乱数関数( HMACなど)とSHA-3をハッシュ関数として組み合わせたパスワードベースの鍵導出関数(PBKDF)を使用することが推奨されています。NISTの推奨事項では、PBKDFを少なくとも1000回繰り返し実行し、さらに秘密ソルトを非秘密ソルトの代わりに使用して少なくとも1000回の繰り返しを実行することも推奨されています。

ユーザーごとのユニークなペッパー

ユーザーごとに固有のペッパーの場合、より多くの情報を安全に保存することを犠牲にして、セキュリティを強化するというトレードオフがあります。1つのパスワードハッシュが侵害され、その秘密ペッパーが漏洩しても、他のパスワードハッシュとその秘密ペッパーには影響がありません。そのため、各ペッパーを個別に発見する必要があり、パスワードハッシュへの攻撃にかかる時間が大幅に長くなります。

参照

参考文献

  1. ^ 「NIST特別刊行物800-63B」。2022年12月16日。セクション5.1.1.2 2023年10月10日閲覧。…検証者は、検証者のみが知っている秘密鍵を使用して、鍵付きハッシュまたは暗号化操作の追加反復を実行する必要がある。
  2. ^ a b Akhawe, Devdatta. 「Dropboxがパスワードを安全に保存する方法」 . dropbox.tech . 2020年11月4日閲覧
  3. ^ Bellovin, Steve (1995-04-16). 「passwd hashing algorithm」 . seclists . 2020年11月11日閲覧
  4. ^ Manber, Udi (1996). 「一方向性関数に基づくパスワードの解読をはるかに困難にするシンプルな手法」 . Computers & Security . 15 (2): 171– 176. doi : 10.1016/0167-4048(96)00003-x . 2020年11月11日閲覧
  5. ^ Blake, Ross; Jackson, Collin; Miyake, Nick; Boneh, Dan; Mitchell, John (2005). 「ブラウザ拡張機能を使用したより強力なパスワード認証」 USENIXセキュリティシンポジウム: 17–32 . 2020年11月11閲覧
  6. ^ Lars Schoening (2006年1月25日). 「ハッシュのみ(ペッパー)データ転送」.ニュースグループsci.crypt .
  7. ^cyrusthevirus (June 7, 2007). "Bruce Schneier Facts". Newsgroupit.test. Most people salt their hash. Bruce salt and peppers his.
  8. ^Webster, Craig (2009-08-03). "Securing Passwords with Salt, Pepper and Rainbows". Barking Iguana. Retrieved 2020-11-11.
  9. ^Wenzel, Fred (2011-03-12). "History for django-sha2/django_sha2/bcrypt_auth.py". Github. Retrieved 2020-11-11.
  10. ^Patrick Mylund Nielsen (May 30, 2012). "Generating Salt for encryption using golang". golang-nuts (Mailing list).
  11. ^Duong, Thai (2020-09-05). "Why you want to encrypt password hashes". vnhacker blogspot. Retrieved 2020-11-11.
  12. ^@Sc00bzT (2020-09-18). "Pepper use to mean "a non-cryptographic salt"" (Tweet) – via Twitter.
  13. ^"Brute Force Attack on UNIX Passwords with SIMD Computer"(PDF). August 1999.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Pepper_(cryptography)&oldid=1309506931"