17

Most password hashes have a cost parameter that indicates how long the algorithm should take. Is there an algorithm where you can increase that cost for a particular hash, without access to the plaintext password?

So I have existing hashes in the database with cost=10, and I want to upgrade these to cost=20, without access to the plaintext password.

This isn't possible for PBKDF2 and bcrypt, because these use the password in each iteration. Is there any algorithm that supports this? Is there a specific name for this property?

Sjoerd
  • 726
  • 6
  • 17

2 Answers2

17

This is called Client-Independent Update, according to the Catena paper.

It is desirable to be able to compute a new password hash (with some higher security parameter) from the old one (with the old and weaker security parameter), without having to involve user interaction, i.e., without having to know the password. We call this feature a client-independent update of the password hash.

The Rig password hash adopted this term:

Client-independent update: Our design supports client independent update, i.e., server can increase the security parameter without knowing the password.

This article even shorts it to CIU.

  • Battcrypt and Parallel have CIU or are easily modified to have it.
  • POMELO mentions that you could just run the algorithm twice to get CIU.
  • Yescrypt seems to have CIU.

An overview:

List of password hashes and whether they have CIU

SEJPM
  • 46,697
  • 9
  • 103
  • 214
Sjoerd
  • 726
  • 6
  • 17
1

Naively, I would say: can you not just concatenate both operations ? If you add a second hash operation of cost 10 to the existing hash, won't that give you a total cost of 20 ? I mean: if CP is the clear text password, and you've stored the H1P = h1(CP) hashes of them with cost 10, can you not calculate H2P = h2(H1P) = h2(h1(CP)) with also cost 10, to obtain a total cost of 20 ? Eventually even using the same function (so h1 = h2) ?

entrop-x
  • 382
  • 2
  • 7