1

If I have a password pwd, and I hash it with SHA256 and send it to a server for authentication (server will apply bcrypt for storage), and then I use PBKDF2-SHA256 with a large number of iterations to derive a key for decrypting user data, does the fact that the server knows the original SHA256 hash or the bcrypt hash allow it to derive the original pwd or the decryption key?

Another way to phrase the question: see below pseudocode

CLIENT:
hash1 := SHA256(email + pwd)
> send hash1 to server

SERVER:
hash2 := bcrypt(hash1)
if hash2 == stored expected value; send data and salt back to client

CLIENT
key := pbkdf2(email + pwd, salt, ...)
AES.decrypt(data, key)

In my scenario, the SERVER is a third party. If, say, the server went rogue and tried to steal all of the users' data, would the server be able to do so easily, knowing about the contents of hash1 and salt?

P.S.: Does 5 million iterations somehow weaken PBKDF2 (hash cycles, etc.)?

Potassium Ion
  • 123
  • 6

1 Answers1

3

If the party that controls the server also controls the client application then the server will always be able to retrieve the password. In that sense protecting against the server only works if very strict auditing is taking place, and then only maybe.

If the server receives a hash over the password then it can of course perform a (augmented) dictionary attack against the hash. When multiple hashes are collected then rainbow tables will also be an option. All the additional protection delivered by bcrypt of PBKDF2 will be null and void.

So yes, if the password could be found with an attack, and then PBKDF2 can be performed using the found password in your scheme. Very strong password will still offer protection against the server, of course.

PS No, the more iterations the better for PBKDF2. Cycles only occur after many more iterations, and are nothing to worry about here.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323