Stronger Password-Based Encryption Using All-or-Nothing Transforms

MSR-TR-2015-63 |

Password-based encryption needs all the help it can get to withstand brute-force attacks. We repurpose an old idea to encrypt data so that each password guess requires processing all of the encrypted data. Then we look at some use cases to see how the costs change for the attacker and defender. In a brute force attack, this can mean a large increase in attacker I/O, with little cost increase to defenders, who must process all of the data anyway. This report accompanies a presentation at BSidesLV 2015 (Passwords15 Crypto Track).