Clipaha: A Scheme to Perform Password Stretching on the Client

Abstract

Password security relies heavily on the choice of password by the user but also on the one-way hash functions used at servers to protect the passwords. To compensate for the increased computing power of attackers, these hash functions have been made more complex in terms of computational power and memory requirements. This exposes servers that have to compute the hash functions at every login attempt for denial of service attacks and limits the range of devices that can provide a high level of password security. For example, constrained Internet of Things devices cannot run modern hash functions like Argon2. In this work, we discuss client-side hashing as an alternative. We propose Clipaha, a client-side hashing scheme that provides high password security even on highly constrained server devices. Clipaha is robust to a broader range of attacks compared to previous work and covers important and complex usage scenarios. Our evaluation discusses critical aspects involved in client-side hashing. We also provide an implementation of Clipaha in the form of a web library and benchmark the library on different systems to understand its mixed JavaScript and WebAssembly approach’s limitations. Benchmarks show that our library is 50% faster than similar libraries and can run on some devices where previous work fails.

Publication
International Conference on Information Systems Security and Privacy (ICISSP)