Score:0

Key Derivation/Hashing Function with Fast Comparison

in flag

Is there a key derivation/hashing function (that has any real value) that fulfills both of these criteria:

  • Slow to compute the hash
  • Fast to verify the hash based on the input string (not given a second, existing copy of said hash)

I know in general key-derivation is used to prevent brute-forcing of passwords, but that's typically to protect passwords against internal users.

I'm looking to set up an authentication system where a user must provide a username, password and a Proof of Work hash of the password, except.. I'd like to not have to do the work myself to quickly check.

The hash is not being compared against the actual hash in the database (e.g., it should be a different hashing algorithm than the one in the database.. PBKDF2), this is simply to discourage brute forcing while also not creating some endpoint on my server where a malicious actor can make my server do some hard work... for nothing.

Is this even possible? I know it's not necessary, but if it's possible it seems like a simple measure I could take to secure my web servers.

kelalaka avatar
in flag
Conflicting requirement? If you can verify fast why the attacker cannot?
in flag
It just feels like I should be able to use a key-derivation function to mix a private key into the key the user will use to hash/derive another key which should make it very easy to check (given the private key, which the user will not have).
in flag
@kelalaka see my last comment; I don't know if this is necessarily a thing or not. But I mean, this is a property of PKI (e.g., given the private key, you can just decrypt the message, otherwise you must crack it). I feel like the same should be able to be somehow transmuted into PoW...
in flag
I mean, even just a PKI setup where it is much harder to encrypt with the public key than it is to decrypt with the private key would work.
Score:0
in flag

A simple Brave search for "Proof of Work hashing" answered this... https://www.npmjs.com/package/hashcash

kelalaka avatar
in flag
SO you store the hashcash value so that you have fast verification? This is not the way Key Derivation works. If you want to have a slow one use Argon2.
in flag
@kelalaka *e.g., it should be a different hashing algorithm than the one in the database.. PBKDF2* No. I am storing PBKDF2 in the database. The hashcash/proof of work is not stored... No where did I imply that I would be storing the hashcash.
in flag
It would work like this.... 1.) User computes hashcash, sends username, pass, hashcash and counter value 2.) I verify hashcash with counter and inputs (lets say the username + password). 3. Only _after_ verification do I then check the database (where I then hash the password provided by the user with PBKDF2 and compare it against the database record). The point is so that a malicious user can't force my server to repeatedly check the PBKDF2 hash without having done a ton of work (much more work than my server) up front.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.