On May 31, 2012, at 3:03 PM, Marsh Ray wrote:
> On 05/31/2012 11:28 AM, Nico Williams wrote:
>>
>> Yes, but note that one could address that with some assumptions, and
>> with some techniques that one would reject when making a better hash
>> -- the point is to be slow,
>
> More precisely, the point is to take a tunable amount of time with strong
> assurance that an attacker will be unable to perform the computation with
> significantly less computational resources.
>
> The deliberate consumption of computational resources is a price that the
> defender has to pay in order to impose costs on the attacker. This ought to
> be an advantageous strategy for the defender as long as the attacker is
> expected to need to invoke the function many times more.
>
> But the defender's and attacker's cost structure is usually very different.
> The defender (say a website with a farm of PHP servers) doesn't get to choose
> when to begin the computation (legitimate users can log in at any time) and
> he pays a cost for noticeable latency and server resources.
>
> The attacker costs are proportional to the number of guesses he needs to make
> to reverse the password. Hopefully this is dominated by wrong guesses. But
> the attacker is free to parallelize the computation across whatever
> specialized hardware he can assemble in the time that the credentials are
> valid (sometimes years). Some attackers could be using stolen resources (e.g.
> botnets for which they do not pay the power bill).
There's another, completely different issue: does the attacker want a
particular password, or will any passwords from a large set suffice?
Given the availability of cheap cloud computing, botnets, GPUs, and botnets
with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a strong
advantage when attacking a particular password. Some say that it's so high
that increasing Ad is essentially meaningless. On the other hand, if there are
many passwords in the set being attacked, a large Ad translates into a
reduction in the fraction that can be attack in any given time frame.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
