Identity/CryptoIdeas/01-PBKDF-scrypt: Difference between revisions

Jump to navigation Jump to search

Identity/CryptoIdeas/01-PBKDF-scrypt (view source)

Revision as of 19:25, 17 April 2012

569 bytes added ,  17 April 2012
use HKDF for expansion, not PBKDF2
No edit summary
(use HKDF for expansion, not PBKDF2)
Line 272: Line 272:
* 10-Apr-2012: updated cost model: EC2 spot prices are 3x lower than on-demand, lowering scrypt "expensive" attack from $750k to $258k -warner
* 10-Apr-2012: updated cost model: EC2 spot prices are 3x lower than on-demand, lowering scrypt "expensive" attack from $750k to $258k -warner
* note that the current plan is to *not* store the WUK on a Primary IdP, but only on a mozila server -warner
* note that the current plan is to *not* store the WUK on a Primary IdP, but only on a mozila server -warner
* 17-Apr-2012: PBKDF2, when used to create 3 keys, takes 3 times as long (i.e. we get one third the protection for a given user delay). I'd rather generate multiple keys with the HKDF expansion step, which is safe but doesn't repeat the stretching. And once we're using that, it easier to write the spec if we use the HKDF extraction step too (even though it's unnecessary here: the output of PBKDF is already uniform). So I'm going to rewrite that part to use do C=PBKDF2(P=join(B,password),S=constant), PWK,MAC,SRPpw=HKDF(XTS=constant, SKM=C, CTXinfo="", L=3*256/8).
Warner
Confirmed users
471

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/421068"

Navigation menu