On 04/22/2012 05:07 PM, Jeffrey Walton wrote:

Aren't programs generally written to be fast and take advantage of
things like locality of reference? I'd like to see a design that
complete violates the design principal. Iterations in a KDF would
then be icing on the cake.

STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS,
www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf.

Well, what about Scrypt doesn't meet your needs?

Off the top of my head:

* It doesn't have an RFC-type spec or reference implementation.

* It's not blessed by NIST, ANSI/ISO, ECMA or any other such body.

* It probably doesn't parallelize on the defender's multi-core CPUs quite as well as it will on a botnet, but you specifically asked for a cache-thrashing function.

I don't see any of these as unfixable showstoppers; Scrypt looks pretty good to me.

Plus, its hard to balance iterations with security when the workforce
is mobile and the attacker gets to perform an offline attack on a
desktop.

Let's keep in mind that the root cause of this problem is the low entropy present in passwords and user PINs. An improved UI for authentication might give us a bigger 'win' in terms of effective security than a maximally-inefficient work function.

- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to