Jon Callas <[email protected]> writes: >On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote: >> PGP Desktop 9 uses as its default an iteration count of four >> million (!!) for its password hashing, which looks like a DoS to >> anything that does sanity-checking of input. > >That's precisely what it is -- a denial of service to password crackers.
In that case why not use a billion iterations (or at least bytes of output), that would really slow down attackers. >In the implementation, we upped the default because of more password >cracking, but also added a twist in it. We time the number of iterations take >1/10 of a second on the computer you're using, and use that value. The goal >is to have the iteration count scale as computers get faster without having >to make software changes. Where this falls apart completely is when there are asymmetric capabilities across sender and receiver. Having an embedded device suspend (near) real- time processing while it iterates away at something generated on a multicore 3GHz desktop PC isn't really an option in a production environment (the actual diagnosis was "messages generated by PGP Desktop cause our devices to crash" because they were triggering a deadman timer that soft-restarted them, it wasn't until they used an implementation that sanity-checked input values that they realised what the problem was). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
