Re: [cryptography] Master Password

[Steven Bellovin]

On May 31, 2012, at 3:03 PM, Marsh Ray wrote:

 On 05/31/2012 11:28 AM, Nico Williams wrote:
 
 Yes, but note that one could address that with some assumptions, and
 with some techniques that one would reject when making a better hash
 -- the point is to be slow,
 
 More precisely, the point is to take a tunable amount of time with strong 
 assurance that an attacker will be unable to perform the computation with 
 significantly less computational resources.
 
 The deliberate consumption of computational resources is a price that the 
 defender has to pay in order to impose costs on the attacker. This ought to 
 be an advantageous strategy for the defender as long as the attacker is 
 expected to need to invoke the function many times more.
 
 But the defender's and attacker's cost structure is usually very different. 
 The defender (say a website with a farm of PHP servers) doesn't get to choose 
 when to begin the computation (legitimate users can log in at any time) and 
 he pays a cost for noticeable latency and server resources.
 
 The attacker costs are proportional to the number of guesses he needs to make 
 to reverse the password. Hopefully this is dominated by wrong guesses. But 
 the attacker is free to parallelize the computation across whatever 
 specialized hardware he can assemble in the time that the credentials are 
 valid (sometimes years). Some attackers could be using stolen resources (e.g. 
 botnets for which they do not pay the power bill).


There's another, completely different issue: does the attacker want a 
particular password, or will any passwords from a large set suffice?  

Given the availability of cheap cloud computing, botnets, GPUs, and botnets 
with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a strong 
advantage when attacking a particular password.  Some say that it's so high 
that increasing Ad is essentially meaningless.  On the other hand, if there are 
many passwords in the set being attacked, a large Ad translates into a 
reduction in the fraction that can be attack in any given time frame.

--Steve Bellovin, https://www.cs.columbia.edu/~smb





___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Master Password

[Nico Williams]

On Thu, Jun 7, 2012 at 4:14 PM, Steven Bellovin s...@cs.columbia.edu wrote:
 There's another, completely different issue: does the attacker want a 
 particular password, or will any passwords from a large set suffice?

 Given the availability of cheap cloud computing, botnets, GPUs, and botnets 
 with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a 
 strong advantage when attacking a particular password.  Some say that it's so 
 high that increasing Ad is essentially meaningless.  On the other hand, if 
 there are many passwords in the set being attacked, a large Ad translates 
 into a reduction in the fraction that can be attack in any given time frame.

If the attacker can't easily identify the user IDs...  If usernames
are put through a PBKDF as well to generate the lookup key with which
to find the password verifier, how much does the defender gain?  For
any one password, not much, because there's less entropy in usernames
than passwords, so the Ad barely improves -- but if the attacker can't
identify that one password then the slight increase in Ad helps slow
the attacker's progress through all of the verifiers they have.
Moreover, the verifier DB could be peppered with chaff with which to
further slow down the attacker.  Does this make sense?

Nico
--
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography