Date: Sun, 19 Feb 2017 13:01:15 -0800 From: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Allan Jude <allanjude@FreeBSD.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2 Message-ID: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com> In-Reply-To: <201702191930.v1JJUW3q051018@repo.freebsd.org> References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote: >=20 > Author: allanjude > Date: Sun Feb 19 19:30:31 2017 > New Revision: 313962 > URL: https://svnweb.freebsd.org/changeset/base/313962 >=20 > Log: > improve PBKDF2 performance >=20 > The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it = could be >=20 > GELI's PBKDF2 uses a simple benchmark to determine a number of = iterations > that will takes approximately 2 seconds. The security provided is = actually > half what is expected, because an attacker could use the optimized > algorithm to brute force the key in half the expected time. >=20 > With this change, all newly generated GELI keys will be approximately = 2x > as strong. Previously generated keys will talk half as long to = calculate, > resulting in faster mounting of encrypted volumes. Users may choose = to > rekey, to generate a new key with the larger default number of = iterations > using the geli(8) setkey command. >=20 > Security of existing data is not compromised, as ~1 second per brute = force > attempt is still a very high threshold. >=20 > PR: 202365 > Original Research: = https://jbp.io/2015/08/11/pbkdf2-performance-matters/ > Submitted by: Joe Pixton <jpixton@gmail.com> (Original = Version), jmg (Later Version) > Reviewed by: ed, pjd, delphij > Approved by: secteam, pjd (maintainer) > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D8236 >=20 > Added: > head/tests/sys/geom/eli/ > head/tests/sys/geom/eli/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/ > head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props = changed) > head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) > Modified: > head/etc/mtree/BSD.tests.dist > head/sys/boot/geli/Makefile > head/sys/geom/eli/g_eli.h > head/sys/geom/eli/g_eli_hmac.c > head/sys/geom/eli/pkcs5v2.c > head/tests/sys/geom/Makefile python (2.x) is now a requirement for the build after this = commit--this is problematic for a few reasons: 1. py3k is quickly becoming the defacto version upstream, and = sometime in the future will become the one and only version. 2. python is not in the limited path when the build is executed, = and unfortunately this path might be triggered if the file that=E2=80=99s = generated is older than the script. 3. Not everyone is guaranteed to install the python port. Could you please fix this? Thanks, -Ngie PS. The script that was committed is also not-PEP8 compliant (I see hard = tab indentation instead of 4-space indents). --Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYqgebAAoJEPWDqSZpMIYVQggQAJoc9/+tD9w/utxTvlH42r4Z IPY49A6hWM57CCvUQ/REPuim5306Og/iK2iImXJaOjXNHFTK638dMhIJ+yXw/u+F cVIQke7TEJBi49whvAZhJ0sG3dlCx70jGRDgrNozjYXko5Eh3ewwXPTlk8DBjknR eYR0mnNZ7p3geKoQPMzuDKkzWS79cWrT2210B86IPPCnLKcpB2bB9Na6Q7jRVjr4 DNhRQzULLjkGe2/yoN8WZdpCElceTldrM7CbeyJ2nMm7neuTKdKaulQSd9gjV+8W eUcAsFLWkIbIrXOcS6kA6wFw4DOBJOFiJBedjI2+TsdPzpFQCLPSpmgnfWD/+5nJ jvWGXpI+pTpFHu6HimtYI/xK+b3erbcKXCzm+9GxfEnQ675CNKefSMoAsShVzoQt 21/gC3xrnua07MCuPxSlYMJpjqiEDDvYBXTdCf5//6Ma8Vhit3S16+7MpMgH+Jum SeiC7xWwQ82tsX6MALukgweRrlCK1EjDc+AGSwOgaEtKVx8UIb7c418JGKgRqjo0 1EPePdfG2bH7UXa1P7uhqw342L6bag2Zri7r5htVYW8rLyvytB7O2BAbdHzm73Vr a0DE5e79lfyyPYxcPwjFsRCAEETZq85L89TD0x1jtdAVsQuQaNaWqx4zhJxSbd2u bUHgb1c8MJDmFjZVn7Xt =3AH5 -----END PGP SIGNATURE----- --Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FEC3571D-4183-4386-913D-6854636C102A>