On 04/22/2012 02:55 PM, Jeffrey Walton wrote:

This might sound crazy, but I would rather have a NIST approved hash
that runs orders of magnitude slower to resist offline, brute forcing
attacks.

Well, that's what we have KDFs with a tunable work factor like PBKDF2 for.

They're generally constructed out of HMAC or hash primitives like SHA-n and the defender gets to personalize the work factor according to the cost he is able to bear. The important thing for the security is that the attacker is unable to find a way to perform that calculation faster than the defender. Having a hash function that is as efficient as possible in both hardware and software seems like a good way to approach that goal (and the folks who use the hash with a healthy sized secret key won't complain about its speed either.

An example of how *not* to do this is the old DES-based unix crypt() function. DES was designed for hardware, so it's much slower in software (where the defender runs it). They changed a few bits in the algorithm in the hope that would remove the advantage of an attacker using the available hardware for proper DES. But it turned out that the attacker can use a much faster bitsliced implementation for software cracking, or even FPGAs, and these optimizations are not available to the defender.

We can always take a fast function and iterate it until it is slow, but making a slow function fast ought to be impossible. So having a 'fast as possible but still secure' function as a primitive gives us more options.

- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to