On May 31, 2012, at 3:03 PM, Marsh Ray wrote:
On 05/31/2012 11:28 AM, Nico Williams wrote:
Yes, but note that one could address that with some assumptions, and
with some techniques that one would reject when making a better hash
-- the point is to be slow,
More precisely, the point is to take a tunable amount of time with strong
assurance that an attacker will be unable to perform the computation with
significantly less computational resources.
The deliberate consumption of computational resources is a price that the
defender has to pay in order to impose costs on the attacker. This ought to
be an advantageous strategy for the defender as long as the attacker is
expected to need to invoke the function many times more.
But the defender's and attacker's cost structure is usually very different.
The defender (say a website with a farm of PHP servers) doesn't get to choose
when to begin the computation (legitimate users can log in at any time) and
he pays a cost for noticeable latency and server resources.
The attacker costs are proportional to the number of guesses he needs to make
to reverse the password. Hopefully this is dominated by wrong guesses. But
the attacker is free to parallelize the computation across whatever
specialized hardware he can assemble in the time that the credentials are
valid (sometimes years). Some attackers could be using stolen resources (e.g.
botnets for which they do not pay the power bill).
There's another, completely different issue: does the attacker want a
particular password, or will any passwords from a large set suffice?
Given the availability of cheap cloud computing, botnets, GPUs, and botnets
with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a strong
advantage when attacking a particular password. Some say that it's so high
that increasing Ad is essentially meaningless. On the other hand, if there are
many passwords in the set being attacked, a large Ad translates into a
reduction in the fraction that can be attack in any given time frame.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography