From owner-freebsd-security@FreeBSD.ORG Mon Jun 11 16:24:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B480E1065670; Mon, 11 Jun 2012 16:24:33 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id BFB9F8FC0C; Mon, 11 Jun 2012 16:24:32 +0000 (UTC) Received: by laai10 with SMTP id i10so3473567laa.13 for ; Mon, 11 Jun 2012 09:24:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=OTymvtA9Ac1l1P5QUT+RLZYSbPP4t6PR3sUHvjNPqgo=; b=JBFZ2bYpCcVVM0FvnYRAC/SncO/hvJ8LP3iEJZ7PaygSaWpApsayznNnGxOmaJKy1/ RdhROfdf3twdWqQV+2x5oihP+5YCToUlZAyOOs7+N17OUpIS3c3qkW/HJo/jzsW233Gm KnTyA4qiwFeF5RQ/7tA7wPfg1WteuRK+LKd80zOEmkBTaxe2y22Z4b9tGJFk0qVo6QW4 yPCXOzzzuNs0FSZx19s2ZI2P0/pu1y37uniRQ4ZJYP8xqfb6EGS74/u20i45qcyM8p9H OSPzbj2/HCUWPRpjuKrf4xW+KqDDG+t6ej/ibaHKKuT96ivInMCkr7e0GMGUohRsPwtC Unog== Received: by 10.152.104.44 with SMTP id gb12mr17880704lab.29.1339431871695; Mon, 11 Jun 2012 09:24:31 -0700 (PDT) Received: from localhost ([78.157.92.5]) by mx.google.com with ESMTPS id u10sm8995562lbm.14.2012.06.11.09.24.29 (version=SSLv3 cipher=OTHER); Mon, 11 Jun 2012 09:24:30 -0700 (PDT) Date: Mon, 11 Jun 2012 19:24:23 +0300 From: Gleb Kurtsou To: "Simon L. B. Nielsen" Message-ID: <20120611162423.GA27001@reks> References: <86r4tqotjo.fsf@ds4.des.no> <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> <734419687.20120611144402@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , Lev Serebryakov , freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 16:24:33 -0000 On (11/06/2012 12:51), Simon L. B. Nielsen wrote: > On Mon, Jun 11, 2012 at 11:44 AM, Lev Serebryakov wrote: > > Hello, Simon. > > You wrote 10 июня 2012 г., 14:02:50: > > > > SLBN> Has anyone looked at how long the SHA512 password hashing > > SLBN> actually takes on modern computers? > >  Modern  computers  are  not what should you afraid. Modern GPUs are. > > And they are incredibly fast in calculation of MD5, SHA-1 and SHA-2. > > > >  Modern key-derivation schemes must be RAM-heavy, not CPU-heavy. > > But the modern CPU's will limit the number of rounds you can use for a > hash (if you use same system as md5crypt), as you can't let users wait > 10+ seconds to check their password. > > >  And   I   don't   understand,   why  should  we  use  our  home-grown > > "strengthening" algorithms instead of "standard" choices: PBKDF2[1], > > bcrypt[2] and (my favorite) scrypt[3]. > > Recall that FreeBSD's MD5 strengthening probably predates most of the > other systems by a while (I'm too lazy to look it up). > > That said, I generally agree we should go with something standard or > existing unless there is a very good reason not to. > > PBKDF2 / RFC2898 is what GELI uses (which I mentioned previously). PBKDF2 as a key derivation function is a bit different from a key stretching concept. KDF's *main* goal is to produce cryptographically good keys, but not to make bruteforce attacks hard on GPU/FPGA/etc. As already mentioned, nowadays good key stretching algorithms are supposed to be GPU-unfriendly. That is the case with crypto_blowfush, crypt_md5 and crypt_sha* thanks to data dependent branching, but it's not true for PBKDF2. I suppose everybody reading this thread has already seen recent presentation by Solar Designer on password security (video should also be available online): http://www.openwall.com/presentations/PHDays2012-Password-Security/ What particularly interesting is the following slide, comparing crypt_sha512/crypt_blowfish GPU-friendliness and performance: http://www.openwall.com/presentations/PHDays2012-Password-Security/mgp00037.html In other words, currently there is no benefit in switch default algorithm to relatively new crypt_sha512 vs 256-iterations crypt_blowfish supported on RELENG_7. crypt-md5.c except: for(i = 0; i < 1000; i++) { MD5Init(&ctx1); if(i & 1) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); else MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); if(i % 3) MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); if(i % 7) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); if(i & 1) MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); else MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); MD5Final(final, &ctx1); } > > [1] http://tools.ietf.org/html/rfc2898 > > [2] http://static.usenix.org/events/usenix99/provos/provos_html/node1.html > > [3] http://www.tarsnap.com/scrypt.html