Jon Callas <> writes:
>On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
>> PGP Desktop 9 uses as its default an iteration count of four
>> million (!!) for its password hashing, which looks like a DoS to
>> anything that does sanity-checking of input.
>That's precisely what it is -- a denial of service to password crackers.

In that case why not use a billion iterations (or at least bytes of output),
that would really slow down attackers.

>In the implementation, we upped the default because of more password
>cracking, but also added a twist in it. We time the number of iterations take
>1/10 of a second on the computer you're using, and use that value. The goal
>is to have the iteration count scale as computers get faster without having
>to make software changes.

Where this falls apart completely is when there are asymmetric capabilities
across sender and receiver.  Having an embedded device suspend (near) real-
time processing while it iterates away at something generated on a multicore
3GHz desktop PC isn't really an option in a production environment (the actual
diagnosis was "messages generated by PGP Desktop cause our devices to crash"
because they were triggering a deadman timer that soft-restarted them, it
wasn't until they used an implementation that sanity-checked input values that
they realised what the problem was).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to