Re: Default softraid crypto PBKDF2 rounds

2016-09-07 Thread Damien Miller 
On Wed, 7 Sep 2016, Andreas Bartelt wrote:

> yes, due to the larger internal state of the blowfish algorithm which is
> harder to efficiently realize in dedicated hardware. However, since bcrypt's
> internal state effectively is of fixed size, scrypt would be an even better
> option since it allows for a parameterization of this internal state. Is there
> any interest in switching to scrypt in the context of password authentication
> on OpenBSD?

no, its advantages aren't sufficient for the disruption IMO.

We might consider whatever wins the shootout going on between balloon
hashing and Argon2, but bcrypt has survived so incredibly well that
we can afford to wait.

Re: Default softraid crypto PBKDF2 rounds

2016-09-07 Thread Andreas Bartelt 

On 09/07/16 09:16, Damien Miller wrote:

On Tue, 6 Sep 2016, David Coppa wrote:


Il 6 settembre 2016 14:56:32 CEST, Filippo Valsorda  ha 
scritto:

Hello,

I recently had the occasion to dive into the softraid crypto code [1]
and was quite pleased with the cleanliness of it all. However, I found
surprising the default value of 8k PBKDF2 rounds.

I know it is easy to override and I should have RTFM, but I (naively,
I'll admit) assumed OpenBSD would pick very robust defaults, erring on
the conservative side. Is it maybe time to bump it up, or pick it based
on a quick machine benchmark?

If there's consensus I might also provide a patch for the live
benchmark
option.


yes, autodetection of a sensible value would be cool...


using bcrypt_kdf would be better :)




yes, due to the larger internal state of the blowfish algorithm which is 
harder to efficiently realize in dedicated hardware. However, since 
bcrypt's internal state effectively is of fixed size, scrypt would be an 
even better option since it allows for a parameterization of this 
internal state. Is there any interest in switching to scrypt in the 
context of password authentication on OpenBSD?

Re: Default softraid crypto PBKDF2 rounds

2016-09-07 Thread Damien Miller 
On Tue, 6 Sep 2016, David Coppa wrote:

> Il 6 settembre 2016 14:56:32 CEST, Filippo Valsorda  ha 
> scritto:
> >Hello,
> >
> >I recently had the occasion to dive into the softraid crypto code [1]
> >and was quite pleased with the cleanliness of it all. However, I found
> >surprising the default value of 8k PBKDF2 rounds.
> >
> >I know it is easy to override and I should have RTFM, but I (naively,
> >I'll admit) assumed OpenBSD would pick very robust defaults, erring on
> >the conservative side. Is it maybe time to bump it up, or pick it based
> >on a quick machine benchmark?
> >
> >If there's consensus I might also provide a patch for the live
> >benchmark
> >option.
> 
> yes, autodetection of a sensible value would be cool...

using bcrypt_kdf would be better :)

Re: Default softraid crypto PBKDF2 rounds

2016-09-06 Thread David Coppa 


Il 6 settembre 2016 14:56:32 CEST, Filippo Valsorda  ha 
scritto:
>Hello,
>
>I recently had the occasion to dive into the softraid crypto code [1]
>and was quite pleased with the cleanliness of it all. However, I found
>surprising the default value of 8k PBKDF2 rounds.
>
>I know it is easy to override and I should have RTFM, but I (naively,
>I'll admit) assumed OpenBSD would pick very robust defaults, erring on
>the conservative side. Is it maybe time to bump it up, or pick it based
>on a quick machine benchmark?
>
>If there's consensus I might also provide a patch for the live
>benchmark
>option.

yes, autodetection of a sensible value would be cool...

Cheers
David

Re: Default softraid crypto PBKDF2 rounds

2016-09-06 Thread Otto Moerbeek 
On Tue, Sep 06, 2016 at 01:56:32PM +0100, Filippo Valsorda wrote:

> Hello,
> 
> I recently had the occasion to dive into the softraid crypto code [1]
> and was quite pleased with the cleanliness of it all. However, I found
> surprising the default value of 8k PBKDF2 rounds.
> 
> I know it is easy to override and I should have RTFM, but I (naively,
> I'll admit) assumed OpenBSD would pick very robust defaults, erring on
> the conservative side. Is it maybe time to bump it up, or pick it based
> on a quick machine benchmark?
> 
> If there's consensus I might also provide a patch for the live benchmark
> option.
> 
> Thank you
> 
> [1]: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/

Since we do something like that for password bcrypt I'd say we are interested.

-Otto

Default softraid crypto PBKDF2 rounds

2016-09-06 Thread Filippo Valsorda 
Hello,

I recently had the occasion to dive into the softraid crypto code [1]
and was quite pleased with the cleanliness of it all. However, I found
surprising the default value of 8k PBKDF2 rounds.

I know it is easy to override and I should have RTFM, but I (naively,
I'll admit) assumed OpenBSD would pick very robust defaults, erring on
the conservative side. Is it maybe time to bump it up, or pick it based
on a quick machine benchmark?

If there's consensus I might also provide a patch for the live benchmark
option.

Thank you

[1]: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/