On Wed, May 30, 2012 at 2:32 AM, Jon Callas <j...@callas.org> wrote: > (1) You take the master password and run it through a 512-bit hash function, > producing master binary secret. > > You pick scrypt for your hash function, because you think burning time and > space adds to security. I do not. This is a place where gentlepersons can > disagree, and I really don't expect to convince you that SHA-512 or Skein > would be better options. I'm convinced that I know why you're doing it, and > it would be a waste of both our times to go further. We just disagree. > > At the end of it, it hardly matters because if an attacker wishes to > construct a rainbow table, the correct way to do it is to assemble a list of > likely passwords and just go from there. It will take longer if they use > scrypt than with a real hash function, but once it's done it is done. They > have the rainbow table.
This is why salting is important. They should not be able to build a single rainbow table that works for all cases. They should have to build a rainbow table per-user, but since that's wasteful (of storage) they won't unless they are prepping to attack a single account at some point when material suitable for attack becomes available. Once you're salting the next step is to slow down the password search. We can't slow it down too much, else the user will suffer and complain, so in the end the user had better pick password. And if the attacker is attacking a small number of users then they can build rainbow tables, which means that... in general you're right. Are you saying that PBKDFs are just so much cargo cult now? Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
