----- Original Message ----- From: "Jim Gellman" <[EMAIL PROTECTED]>
To: "Joseph Ashwood" <[EMAIL PROTECTED]>
Cc: "Cryptography" <cryptography@metzdowd.com>
Sent: Saturday, October 13, 2007 1:25 PM
Subject: Re: Password hashing


I'm not sure I follow your notation.  Are you saying that IV[n] is the
n'th application of the compression function?
No, each application of the HMAC is seperate, this is to incur the finalization penalty in the computation. if you want it closer to implementation:
IV = SALT
for(n iterations)
   IV = HMAC(key=IV, data=USERID||PASSWORD)
PasswordHash=IV

Why put each field in
it's own block?

It really is to incur as many necessary performance penalties as possible. The HMAC keying requires 2 compressions, then the USERID||PASSWORD formatting can be created to make it consistently 2 more compressions, and a finalization per round.

More inflation is of course possible, but I don't think it is reasonable, too much possibility of stretching too far, giving too much leverage for an attack on the compression function (i.e. the more times you use the compression function the more likely a shortcut exists, but by resetting the state such attacks become much less likely).
               Joe


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to