----- Original Message -----
From: "Jim Gellman" <[EMAIL PROTECTED]>
To: "Joseph Ashwood" <[EMAIL PROTECTED]>
Cc: "Cryptography" <[email protected]>
Sent: Saturday, October 13, 2007 1:25 PM
Subject: Re: Password hashing
I'm not sure I follow your notation. Are you saying that IV[n] is the
n'th application of the compression function?
No, each application of the HMAC is seperate, this is to incur the
finalization penalty in the computation. if you want it closer to
implementation:
IV = SALT
for(n iterations)
IV = HMAC(key=IV, data=USERID||PASSWORD)
PasswordHash=IV
Why put each field in
it's own block?
It really is to incur as many necessary performance penalties as possible.
The HMAC keying requires 2 compressions, then the USERID||PASSWORD
formatting can be created to make it consistently 2 more compressions, and a
finalization per round.
More inflation is of course possible, but I don't think it is reasonable,
too much possibility of stretching too far, giving too much leverage for an
attack on the compression function (i.e. the more times you use the
compression function the more likely a shortcut exists, but by resetting the
state such attacks become much less likely).
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
