Thanks for responses. I considered to use scrypt for now, because
as described is's harder to hack it with brute force using GPU,
ASIC, FPGA than bcrypt. But it has some limitations too. I've
tried to tweak it to use more memory and less computation time
but failed. Another question for me is how would I support this
type of password authentication. After some years computation
powers will grow and I will need to modify my hased keys stored
in DB to adequately resist this. So I need some protocol where
some parameters could be tweaked I'll be able to "rehash" or make
some additional iterations with existing password hashes with no
need to disturb users that "we have some security updates and ask
users to change their passwords". So this part of reply is
interesting for with from described point of view.
Consider using AES256 poorly:
1. Take any password
2. hash it with MD5
3. Use that hash as the key (pad the extra bits with 0s) to
encrypt something using AES256 in ECB mode
I need kind of function with the these properties.
KDF(passwd, salt, jobFactor1)
KDF(passwd, salt, jobFactor2)
where jobFactor1 - initial number representing amont of job
needed to calculate hash, and jobFactor2 ( > jobFactor1 ) is
index that will be actual in the future.
For old hashes I would do something like this
KDF_diff(KDF_old, jobFactor2 - jobFactor1)
But for new users (or for users that wants to change password)
I will call original KDF(passwd, salt, jobFactor2) with new job
factor. Also would be suitable implementation where KDF_diff is
same as KDF and simply used as KDF(KDF_old, salt, jobFactor2 -
jobFactor1). It can be simply achieved by using some SHA2, SHA3,
MD5 or other hash function used in cycle. But I want to believe
that some other elegant solution exists in combination with
memory-hard function like scrypt.
Also I found some info about new Key Derivation Functions. But
seems that they are not enough checked for security and have
enough tested implementation.
http://lyra-kdf.net/
http://eprint.iacr.org/2013/525.pdf
Also I found site about password hashing functions competition.
It will be interesting to read what D community thinks about it.
https://password-hashing.net/faq.html