Re: Default softraid crypto PBKDF2 rounds
On Wed, 7 Sep 2016, Andreas Bartelt wrote: > yes, due to the larger internal state of the blowfish algorithm which is > harder to efficiently realize in dedicated hardware. However, since bcrypt's > internal state effectively is of fixed size, scrypt would be an even better > option since it allows for a parameterization of this internal state. Is there > any interest in switching to scrypt in the context of password authentication > on OpenBSD? no, its advantages aren't sufficient for the disruption IMO. We might consider whatever wins the shootout going on between balloon hashing and Argon2, but bcrypt has survived so incredibly well that we can afford to wait.
Re: Default softraid crypto PBKDF2 rounds
On 09/07/16 09:16, Damien Miller wrote: On Tue, 6 Sep 2016, David Coppa wrote: Il 6 settembre 2016 14:56:32 CEST, Filippo Valsordaha scritto: Hello, I recently had the occasion to dive into the softraid crypto code [1] and was quite pleased with the cleanliness of it all. However, I found surprising the default value of 8k PBKDF2 rounds. I know it is easy to override and I should have RTFM, but I (naively, I'll admit) assumed OpenBSD would pick very robust defaults, erring on the conservative side. Is it maybe time to bump it up, or pick it based on a quick machine benchmark? If there's consensus I might also provide a patch for the live benchmark option. yes, autodetection of a sensible value would be cool... using bcrypt_kdf would be better :) yes, due to the larger internal state of the blowfish algorithm which is harder to efficiently realize in dedicated hardware. However, since bcrypt's internal state effectively is of fixed size, scrypt would be an even better option since it allows for a parameterization of this internal state. Is there any interest in switching to scrypt in the context of password authentication on OpenBSD?
Re: Default softraid crypto PBKDF2 rounds
On Tue, 6 Sep 2016, David Coppa wrote: > Il 6 settembre 2016 14:56:32 CEST, Filippo Valsordaha > scritto: > >Hello, > > > >I recently had the occasion to dive into the softraid crypto code [1] > >and was quite pleased with the cleanliness of it all. However, I found > >surprising the default value of 8k PBKDF2 rounds. > > > >I know it is easy to override and I should have RTFM, but I (naively, > >I'll admit) assumed OpenBSD would pick very robust defaults, erring on > >the conservative side. Is it maybe time to bump it up, or pick it based > >on a quick machine benchmark? > > > >If there's consensus I might also provide a patch for the live > >benchmark > >option. > > yes, autodetection of a sensible value would be cool... using bcrypt_kdf would be better :)
Re: Default softraid crypto PBKDF2 rounds
Il 6 settembre 2016 14:56:32 CEST, Filippo Valsordaha scritto: >Hello, > >I recently had the occasion to dive into the softraid crypto code [1] >and was quite pleased with the cleanliness of it all. However, I found >surprising the default value of 8k PBKDF2 rounds. > >I know it is easy to override and I should have RTFM, but I (naively, >I'll admit) assumed OpenBSD would pick very robust defaults, erring on >the conservative side. Is it maybe time to bump it up, or pick it based >on a quick machine benchmark? > >If there's consensus I might also provide a patch for the live >benchmark >option. yes, autodetection of a sensible value would be cool... Cheers David
Re: Default softraid crypto PBKDF2 rounds
On Tue, Sep 06, 2016 at 01:56:32PM +0100, Filippo Valsorda wrote: > Hello, > > I recently had the occasion to dive into the softraid crypto code [1] > and was quite pleased with the cleanliness of it all. However, I found > surprising the default value of 8k PBKDF2 rounds. > > I know it is easy to override and I should have RTFM, but I (naively, > I'll admit) assumed OpenBSD would pick very robust defaults, erring on > the conservative side. Is it maybe time to bump it up, or pick it based > on a quick machine benchmark? > > If there's consensus I might also provide a patch for the live benchmark > option. > > Thank you > > [1]: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/ Since we do something like that for password bcrypt I'd say we are interested. -Otto
Default softraid crypto PBKDF2 rounds
Hello, I recently had the occasion to dive into the softraid crypto code [1] and was quite pleased with the cleanliness of it all. However, I found surprising the default value of 8k PBKDF2 rounds. I know it is easy to override and I should have RTFM, but I (naively, I'll admit) assumed OpenBSD would pick very robust defaults, erring on the conservative side. Is it maybe time to bump it up, or pick it based on a quick machine benchmark? If there's consensus I might also provide a patch for the live benchmark option. Thank you [1]: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/