So this is like SSH, where I could increase the KEY size without affecting the bandwidth? If using big SSH KEY's, that would ONLY mean slower logins? Similar as using bigger rounds on an OpenBSD CRYPTO devices?
Thank you! -------- Original Message -------- From: "Andy Bradford" <amb-open...@bradfords.org> Apparently from: owner-misc+m145...@openbsd.org To: "whoami toask" <whoamito...@safe-mail.net> Cc: misc@openbsd.org Subject: Re: CRYPT rounds vs. performance Date: 3 Jan 2015 16:56:15 -0700 > Thus said "whoami toask" on Sat, 03 Jan 2015 17:18:04 -0500: > > > *- Does the rounds affect the disk performance, ex.: 1000 vs. 10 000 > > 000**? OR it just ONLY affects the time until the password unlocks the > > CRYPT device? > > Yes, unless I'm mistaken, it really only affects how long it takes to > generate the key from the passphrase. Once the key is in memory, the > number of rounds is no longer really relevant. > > Also, one of the primary reasons for having salts/rounds is to protect > against offline attacks against the password database (e.g. someone > obtains /etc/master.passwd and begins to hash passwords until a match is > found) using rainbow tables. With random salts and large rounds it will > be extremely prohibitive to crack all the passwords in the database. > > In the case of an encrypted volume, however, we aren't talking about a > password database with all kinds of usernames/passwords. We're talking > about a single key derived from a passphrase which means salts/rounds > don't have the same implications as they do for an offline attack > against a database. In this case, it would seem that the best protection > is a larger number of rounds (bioctl defaults to 8192 according to the > man page). > > Andy > -- > TAI64 timestamp: 4000000054a881c2