Scrypt KDF Support

Quexten · January 5, 2023, 9:12am

Hi,

discussion has been ongoing about other key derivation functions being added to Bitwarden.

The current KDF, PBKDF2 uses little to no memory, and thus scales very well on GPUs which have a comparatively low amount of memory per core. For long, high entropy, master passwords this is not an issue, but these days better hash functions, that limit this attack, are available. One suggestion has been to add support for Argon2, though the Javascript ecosystem support is lacking here. While there is a WASM implementation, it is unaudited, and might not work on some platforms. Another KDF that limits the amount of scalability through a large internal state is scrypt. For scrypt there are audited, and fuzzed libraries such as noble-hashes.

I have created basic scrypt support for Bitwarden. Instead of KDF iterations, there is a “Work Factor” which scales linearly with memory and compute. It has to be a power of 2, and thus I made the user configurable work factor a drop down selection.

Additionally, there are some other configurable factors for scrypt, which I did not make user-configurable, but set statically according to a post from the guy in charge of cryptography for Golang at google.

The code is on this branch. Still missing are: unit tests and an implementation for the mobile clients. Before writing the mobile client implementation, I wanted to get feedback on the current implementation

Quexten · January 5, 2023, 9:15am

Since I’m a new user on the forum I had to put these links in a second post due to a limit on new users:
Noble Hashes Library: https://github .com/paulmillr/noble-hashes
SCRYPT Parameters by Filippo Valsorda: https://words .filippo .io/the-scrypt-parameters/

grb · January 5, 2023, 5:30pm

I’m not familiar with scrypt, so please ignore if the following is a bad idea, but my suggestion would be from a usability perspective, to have the user input the base-2 logarithm of the work factor instead of the work factor itself (an inscrutable 5-7 digit number). Thus, you could keep the same input field format as currently used for PBKDF2, and just limit the valid inputs to integers the range 16-22. You could even take inputs in the range 1-7 (or 0-6) and transform these into a valid work factor in the range 2¹⁶–2²².

Also, what is your source for 2¹⁶ as the minimum acceptable value? The two sources you linked above have 2¹⁰ and 2¹⁵, respectively, as the minimum.

Quexten · January 5, 2023, 5:53pm

Yeah, good idea, I agree that the current selection is a bit unreadable. We could also just write “2^15” or “2¹⁵” instead of 15 (or 32768) so it is clear what the work factor is, but at the same time more readable.

About the minimum: To be honest I didn’t find any device where at 2^16, the hashing took any noticeable amount of time, so I’m not sure what the use-case for setting it lower would be, still I’m happy to decrease the minimum to 2^15.

bw-admin · January 6, 2023, 9:07am

Thanks @Quexten, I’ll review with the team

Quexten · January 9, 2023, 11:22pm

Ok, as an update: I have now implemented scrypt for the mobile clients. The cryptographic library used, is BouncyCastle, the same one Bitwarden already uses on Android for other cryptographic functions. I had to add it to the iOS client as a dependency, since the Bitwarden client only used iOS native cryptographic functions so far.

I have tested it to correctly unlock the vault on Android. Since the iOS implementation is the same, it should also work but I have no way of testing the iOS app.

Here is the branch:

Quexten · January 10, 2023, 1:18am

Ok, I have added unit tests for the javascript implementation, and created the pull requests.
Here:

github.com/bitwarden/clients

[PS-2216] Feature/scrypt kdf

bitwarden:master ← quexten:feature/scrypt-kdf

opened 01:16AM - 10 Jan 23 UTC

quexten

+211 -29

## Type of change ``` - [ ] Bug fix - [x] New feature development - [ …] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective This pull request implements the scrypt kdf as another choice for the vault's pbkdf. The idea with scrypt is that through a large internal state, it is not possible to use a GPU to parallelize the computation, and thus is more resistant against bruteforce attacks. ## Code changes There is also a pull request for the mobile implementation here: bitwarden/mobile/pull/2285 - messages.json, change-kdf-component.ts, change-kdf.component.html: Implement the UI for changing the kdf type. Since scrypt does not use iterations, but a work factor (which needs to be a power of 2), a drop-down menu made more sense for selection - webCryptoFunction.service.spec.ts: Add unit tests for the scrypt function. The test strings were generated with GHCQ CyberChef - kdfType.ts: Add the scrypt type to the enum, and the default work factor and work factor options (since other defaults seemed to also be located in this file) - crypto.service.ts: Implement the case for the scrypt kdf type. The default scrypt work factor is 2^16, the minimum is 2^15. This and the other parameters are taken from this post: https://words.filippo.io/the-scrypt-parameters/ - node-crypto-function-service.ts, webCryptoFunction.service.ts, cryptoFunction.service.ts: Implement the function calls for scrypt - package.json: Add the noble hashes library for the scrypt implementation, since the cryptographic libraries bitwarden was already dependent on, do not implement scrypt. ## Screenshots ![screenshot](https://user-images.githubusercontent.com/11866552/211439403-912c9b2d-2b8e-42a6-89ff-ad93ceb9bcaa.png)

and

github.com/bitwarden/mobile

[PS-2215] Implement scrypt key derivation function

bitwarden:master ← quexten:feature/scrypt-pbkdf

opened 01:14AM - 10 Jan 23 UTC

quexten

+62 -3

## Type of change - [ ] Bug fix - [x] New feature development - [ ] Tech debt… (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ## Objective This pull request implements the scrypt kdf, as the second kdf next to pbkdf2. The corresponding pull request on the clients repository is here: ## Code changes There is also a pull request for the clients implementation here: bitwarden/clients/pull/4428 - CryptoPrimitiveService.cs (iOS, Android), ICryptoPrimitiveService.cs: Implement the basic scrypt call. - KdfType.cs: Add the second KdfType - PclCryptoFunctionService.cs, ICryptoFunctionService.cs: Add the Scrypt functions - CryptoService: Add the scrypt case case for the kdf type. The default iterations are set to 2^16, and the minimum iterations are set to 2^15. (https://words.filippo.io/the-scrypt-parameters/ recommends 2^15 for interactive logins, but the article is from 2017 and it is arguable that bitwarden is closer to file encryption than interactive logins, so I'm open to debate here). The rest of the parameters are the same as recommended in the linked post. - iOS.Core.csproj: Add the BouncyCastle library (which is already used on Android) to implement Scrypt

mgibson · January 12, 2023, 1:52pm

Thanks for your interest Bernd, I definitely appreciate it!

My gut for a user experience is that we’d want to save difficulty options independent of one another for each KDF type we implement. If that’s the goal we would definitely want a KDFOptions object of some sort as part of the prelogin responses and subsequent crypto information responses. As for server-side storage, this would mean either a new table relation or storing it as JSON. I’m leaning to JSON for two reasons.

As you point out in the feature thread each KDF is likely to have unique requirements on options, so we’d need a very generic table structure if we went that route
New KDFs are a rare occurrence so the higher migration cost isn’t a big deal

Quexten · January 15, 2023, 2:40pm

As commented on the scrypt pull-request, here is the draft-pull request enabling the back-end functionality for the KDF options. Since as you pointed out new KDF’s don’t occur every other day, I chose to simply add 2 new columns, one for kdfMemory, one for kdfParallelism instead of a JSON object, but the pull request is of course open for discussion :

github.com/bitwarden/server

[PS-2267] Add KdfMemory and KDFParallelism fields

bitwarden:master ← quexten:feature/kdf-options

opened 02:33PM - 15 Jan 23 UTC

quexten

+311 -6

## Type of change ``` - [ ] Bug fix - [x] New feature development - [ …] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective For the scrypt, and especially argon2 key derivation functions, there are more parameters than just iterations. To make them configurable, new fields are needed. One option would be to create a new string field, which we encode a JSON "kdfOptions" object int, which would be very flexible but also (in my opinion) a bit complex for the use-case. Since I don't expect that Bitwarden needs to frequently add new KDF's with new parameters, this pull request simply adds 2 integer columns for the memory consumption, and the parallelism of the KDFs. I.e the client now gets something like: ``` { kdfType: 0, kdfIterations: 100000, kdfMemory: 1000, kdfParallelism: 2 } ``` As in the prelogin response, instead of just kdfType and kdfIterations. For PBKDF2, the new values are simply 0. **While I tested the basic functionality, I did not test every possibly affected function / migration yet. I already opened it so we can discuss whether this is the right approach.** ## Code changes AccountsController.cs: Add default handling for kdfMemory and kdfParallelism KdfRequestModel.cs, SetKeyConnectorKeyRequsest.cs, SetPasswordRequestModel.cs, OrganisationUserResponseModel.cs, EmergencyAccessResponse.cs, User.cs, RegisterRequestModel.cs, PreloginResponseModel.cs, OrganisationUserResetPasswordDetails.cs, UserKdfInformation.cs, IUserService.cs, UserService.cs,: Add kdfMemory, kdfParallelism fields User_Create.sql, User_ReadKdfByEmail.sql, User_Update.sql: Add the columns to the users table. 2023_01-15_00_KDFOptions.sql: Insert the columns if they are missing, and update the user creation, updating, and read kdf by email procedures (did I miss any here?)

Quexten · January 17, 2023, 1:03am

The scrypt pull request is closed for now as we decided to focus on argon2.

Sincerity9661 · January 17, 2023, 10:23am

From what I understand that is a good decision.