On 04/22/2012 05:07 PM, Jeffrey Walton wrote:
Aren't programs generally written to be fast and take advantage of
things like locality of reference? I'd like to see a design that
complete violates the design principal. Iterations in a KDF would
then be icing on the cake.
STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS,
www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf.
Well, what about Scrypt doesn't meet your needs?
Off the top of my head:
* It doesn't have an RFC-type spec or reference implementation.
* It's not blessed by NIST, ANSI/ISO, ECMA or any other such body.
* It probably doesn't parallelize on the defender's multi-core CPUs
quite as well as it will on a botnet, but you specifically asked for a
cache-thrashing function.
I don't see any of these as unfixable showstoppers; Scrypt looks pretty
good to me.
Plus, its hard to balance iterations with security when the workforce
is mobile and the attacker gets to perform an offline attack on a
desktop.
Let's keep in mind that the root cause of this problem is the low
entropy present in passwords and user PINs. An improved UI for
authentication might give us a bigger 'win' in terms of effective
security than a maximally-inefficient work function.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography