0

I want to use a (preferably established) hash function that is backdoorable in a password database. I want to do so because I need password escrow (being able to get the cleartext back. I want to generate some form of a private/public keypair on a secure server (airgapped, physical security). I then want to send the public key to the authentication server, and use a hashing algorithm that is reversible (I know that you can't normally reverse hashes) if you know the private key. If I ever need to read the passwords in the database, I copy the passwords and decrypt them with my private key.

The disadvantages are obvious: single point of failure, and in case of a non-established function, maybe a backdoor in my backdoor. (Oh, the irony)

What hash function should I use? Are there any established hash functions that will do this?

redfast00
  • 197
  • 1
  • 7

1 Answers1

4

You can simply handle password verification on login and escrow independently:

  • Store a salted password hash (e.g. bcrypt) together with its salt. You can use this to verify logins, just like what you'd use if you had no escrow.

  • Also store the password encrypted with asymmetric encryption (e.g. RSA-OAEP, ECIES).

    Since these are randomized, they are not vulnerable to attacks where the attacker guesses a password and checks if the encryption matches the ciphertext.

    You might need to add some padding, to avoid leaking the length of the password.

The Makwa password hash has a built-in backdoor, but since this problem can be solved generically, I don't consider that a good reason for using Makwa over another hash.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129