Confirmed users
471
edits
Identity/CryptoIdeas/01-PBKDF-scrypt: Difference between revisions
Jump to navigation
Jump to search
Identity/CryptoIdeas/01-PBKDF-scrypt (view source)
Revision as of 21:52, 10 April 2012
, 10 April 2012update costs: spot prices are 3x cheaper
(update costs: spot prices are 3x cheaper) |
|||
| Line 132: | Line 132: | ||
Adding scrypt() to the derivation chain raises the attack cost for the | Adding scrypt() to the derivation chain raises the attack cost for the | ||
WUK-holding server (and friends) significantly. If we assume that the helper | WUK-holding server (and friends) significantly. If we assume that the helper | ||
runs on an AWS EC2 m1.small instance (at | runs on an AWS EC2 m1.small instance (at today's spot cost of $0.027/hour), | ||
attacker's hardware has similar costs, then they must spend about | and that the attacker's hardware has similar costs, then they must spend | ||
$ | about $7.5*10<sup>-6</sup> for each 1s guess (i.e. each dollar gets them 133k | ||
guesses). The PBKDF cost is negligible in comparison. This class of attacker | guesses). The PBKDF cost is negligible in comparison. This class of attacker | ||
must then spend about $ | must then spend about $258k to exhaust the 35-bit password space assumed | ||
above. | above. | ||
| Line 145: | Line 145: | ||
The Helper is, of course, a new category of attacker: it could misbehave and | The Helper is, of course, a new category of attacker: it could misbehave and | ||
retain the "A" or "B" values, or an intruder might modify its code to do the | retain the "A" or "B" values, or an intruder might modify its code to do the | ||
same. Knowledge of "A" allows an attack limited by the first PBKDF step. | same, or an eavesdropper might see "A" or "B" in transit. Knowledge of "A" | ||
Knowledge of both "B" and the WUK allows an attack limited by the second | allows an attack limited by the first PBKDF step. Knowledge of both "B" and | ||
PBKDF step. In both cases, the attack is no better than the one available to | the WUK allows an attack limited by the second PBKDF step. In both cases, the | ||
the Primary-Server-And-Friends in the only-PBKDF design. | attack is no better than the one available to the Primary-Server-And-Friends | ||
in the only-PBKDF design. | |||
The significant advantage, however, is that ex-post-facto attacks do not | The significant advantage, however, is that ex-post-facto attacks do not | ||
| Line 162: | Line 163: | ||
long-term WUK value to function correctly, however in this proposal the WUK does | long-term WUK value to function correctly, however in this proposal the WUK does | ||
not provide the same low-cost attack vector. | not provide the same low-cost attack vector. | ||
(caveats: you should always be skeptical of models that claim to produce | |||
actual numbers. All the dollar costs here are intended as rough | |||
order-of-magnitude estimates, and various factors could result in excursions | |||
either way. For example, EC2 "t1.micro" instances might work just as well, | |||
and are 4x cheaper. Specialized hardware could compute scrypt() cheaper than | |||
an EC2 instance.) | |||
=== local scrypt === | === local scrypt === | ||