Date: Sun, 19 Feb 2017 13:01:15 -0800 From: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Allan Jude <allanjude@FreeBSD.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2 Message-ID: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com> In-Reply-To: <201702191930.v1JJUW3q051018@repo.freebsd.org> References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote: > > Author: allanjude > Date: Sun Feb 19 19:30:31 2017 > New Revision: 313962 > URL: https://svnweb.freebsd.org/changeset/base/313962 > > Log: > improve PBKDF2 performance > > The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be > > GELI's PBKDF2 uses a simple benchmark to determine a number of iterations > that will takes approximately 2 seconds. The security provided is actually > half what is expected, because an attacker could use the optimized > algorithm to brute force the key in half the expected time. > > With this change, all newly generated GELI keys will be approximately 2x > as strong. Previously generated keys will talk half as long to calculate, > resulting in faster mounting of encrypted volumes. Users may choose to > rekey, to generate a new key with the larger default number of iterations > using the geli(8) setkey command. > > Security of existing data is not compromised, as ~1 second per brute force > attempt is still a very high threshold. > > PR: 202365 > Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/ > Submitted by: Joe Pixton <jpixton@gmail.com> (Original Version), jmg (Later Version) > Reviewed by: ed, pjd, delphij > Approved by: secteam, pjd (maintainer) > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D8236 > > Added: > head/tests/sys/geom/eli/ > head/tests/sys/geom/eli/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/ > head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) > Modified: > head/etc/mtree/BSD.tests.dist > head/sys/boot/geli/Makefile > head/sys/geom/eli/g_eli.h > head/sys/geom/eli/g_eli_hmac.c > head/sys/geom/eli/pkcs5v2.c > head/tests/sys/geom/Makefile python (2.x) is now a requirement for the build after this commit--this is problematic for a few reasons: 1. py3k is quickly becoming the defacto version upstream, and sometime in the future will become the one and only version. 2. python is not in the limited path when the build is executed, and unfortunately this path might be triggered if the file that’s generated is older than the script. 3. Not everyone is guaranteed to install the python port. Could you please fix this? Thanks, -Ngie PS. The script that was committed is also not-PEP8 compliant (I see hard tab indentation instead of 4-space indents). [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYqgebAAoJEPWDqSZpMIYVQggQAJoc9/+tD9w/utxTvlH42r4Z IPY49A6hWM57CCvUQ/REPuim5306Og/iK2iImXJaOjXNHFTK638dMhIJ+yXw/u+F cVIQke7TEJBi49whvAZhJ0sG3dlCx70jGRDgrNozjYXko5Eh3ewwXPTlk8DBjknR eYR0mnNZ7p3geKoQPMzuDKkzWS79cWrT2210B86IPPCnLKcpB2bB9Na6Q7jRVjr4 DNhRQzULLjkGe2/yoN8WZdpCElceTldrM7CbeyJ2nMm7neuTKdKaulQSd9gjV+8W eUcAsFLWkIbIrXOcS6kA6wFw4DOBJOFiJBedjI2+TsdPzpFQCLPSpmgnfWD/+5nJ jvWGXpI+pTpFHu6HimtYI/xK+b3erbcKXCzm+9GxfEnQ675CNKefSMoAsShVzoQt 21/gC3xrnua07MCuPxSlYMJpjqiEDDvYBXTdCf5//6Ma8Vhit3S16+7MpMgH+Jum SeiC7xWwQ82tsX6MALukgweRrlCK1EjDc+AGSwOgaEtKVx8UIb7c418JGKgRqjo0 1EPePdfG2bH7UXa1P7uhqw342L6bag2Zri7r5htVYW8rLyvytB7O2BAbdHzm73Vr a0DE5e79lfyyPYxcPwjFsRCAEETZq85L89TD0x1jtdAVsQuQaNaWqx4zhJxSbd2u bUHgb1c8MJDmFjZVn7Xt =3AH5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FEC3571D-4183-4386-913D-6854636C102A>