In order to access our digital accounts, we usually need a password or passphrase. However, just as the key to a real-life lock may not always be strong, not all passwords are secure. To strengthen online defenses, security experts have developed a range of techniques and methods to make passwords more secure. These methods include: Hashing, Salting, Peppering, Key Stretching, etc. Below, let’s explore the importance of key expansion and how it can significantly improve online security.
What is key extension?
As a cryptographic technique, key expansion can be used to enhance the security of passwords and passphrases, especially when the original password is not random enough or long enough to withstand attacks such as brute force or dictionary attacks. . Overall, key expansion achieves stronger security by hashing a password or key multiple times.
Key expansion, also known as key hardening, usually involves applying a cryptographic function or algorithm to a relatively weak, short password or encryption key to generate a stronger, longer key. The newly generated key output is used as subsequent input, and this process is repeated until the required key can be output. Fundamentally, the purpose of this is to make it possible for an attacker to recover the original key even if he obtains a hashed or encrypted version of the original key, which requires a lot of computational cost and time.
Currently, key expansion plays a vital role in applications with high security requirements such as online accounts, financial transactions, and data protection. It is an important part of ensuring the security of stored passwords and encryption keys, and ultimately ensures the trust of user accounts and data.
How does key expansion work?
To understand how key expansion turns a weak password into a strong and secure one, let's look at a simple example: Imagine you have a common password like "iloveyou". So to the attacker, the password may not even be called a secret. They can easily open this "door" by brute force cracking word lists and dictionaries. In fact, it only took the attacker 30 seconds to crack and access the account.
Key expansion then hashes this vulnerable password to create a longer, more complex password. For example: "iloveyou" will become "e4ad93ca07acb8d908a3aa41e920ea4f4ef4f26e7f86cf8291c5db289780a5ae". However, the entire expansion process does not end there.
The new password is then hashed again and becomes: "bc82943e9f3e2b6a195bebdd7f78e5f3ff9182ca3f35b5d415cf796ab0ce6e56".
And if you continue to hash it, you will get: "46e95d6374c00c84e4970cfe1e0a2982b2b11b1de9343a30f42675a2154a28f5". By analogy, you can perform this operation as many times as needed.
So, do we need to write code from scratch to implement the entire process? Obviously not needed. There are already code libraries for key expansion in the industry that can do the heavy lifting for you. Among them, the more typical and popular key expansion algorithms are: PBKDF2, scrypt, Argon2 and bcrypt. Among them, bcrypt and PBKDF2 are the most well-known.
Specifically, bcrypt uses blowfish passwords for multiple rounds of hashing, making it a solid choice for keeping passwords safe. PBKDF2 (Password-Based Key Derivation Function, Password-Based Key Derivation Function 2) is another reliable option to enhance the security of keys or passwords. These tools ensure that even the weakest passwords are heavily shielded from unauthorized access.
Key expansion and salting
Key expansion and salting are both important technologies in the field of password security. They each play a unique role in enhancing password strength.
As mentioned above, key expansion essentially involves multiple rounds of hashing a password, effectively turning a weak password into a more secure version. Therefore, the more times it is performed, the safer the password becomes. Password salting provides an additional layer of defense. It requires adding a string of different characters to the password before applying the hashing process, i.e., making the password stronger by adding complexity.
In practice, these two techniques can be used in tandem to enhance the overall strength of a password. However, it is important to note that salting is not an afterthought but should be incorporated from the start to strengthen weak passwords before they are hashed. Essentially, key expansion and salting work like a collaborative team, working together to provide additional protection for your sensitive information.
Importance of Key Expansion
Key expansion is commonly used in password-based encryption and authentication systems. It helps reduce the risk of weak or easy-to-guess passwords, making it difficult for an attacker to recover the computationally expensive original information even if they obtain a hashed or encrypted version of the original password. We can often use it in various practical application scenarios such as protecting stored passwords and encryption keys. Below, I have summarized 4 typical security functions of key expansion for you:
- Enhanced security: The main purpose of key expansion is to greatly improve the security of passwords or encryption keys. It does this by turning weak, easily guessable passwords into strong, complex keys that are more resistant to attacks such as brute force and dictionary attacks.
- Fight against rainbow tables: Rainbow tables are also called precomputed tables. This type of table is a pre-generated hashed password correspondence table. Attackers can use them to quickly find the corresponding password. Methods such as salting and key expansion can render such tables ineffective.
- Reduce the impact of weak passwords: In actual operations, users usually choose weak passwords that are easy to remember but vulnerable to attacks. Key stretching provides an additional layer of security between users and services.
- Slow down attackers: The complex computation of key expansion significantly slows down attackers’ ability to crack passwords. Obviously, each additional iteration makes the cracking process more time-consuming, thus deterring attackers.
Use cryptographic hardening technology to ensure asset security
Although passwords are the first line of defense for security, if they are too simple, it is only a matter of time before they are cracked. Nowadays, attackers are becoming more and more sophisticated, and the level of cracking continues to increase. Therefore, if you want to stay ahead in this "cat-and-mouse game", the key processing mechanism needs to "go one more step". For example, using advanced technologies such as key expansion, salting, and doping mentioned above can help users transform weak passwords into a strong shield against potential threats.