[144637] in cryptography@c2.net mail archive
Re: XML signature HMAC truncation authentication bypass
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Jul 26 11:00:33 2009
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: jon@callas.org, pgut001@cs.auckland.ac.nz
Cc: cryptography@metzdowd.com, lmeiners@gmail.com
In-Reply-To: <39DF3970-B4F0-4786-97CB-FF80FD567BA7@callas.org>
Date: Mon, 27 Jul 2009 01:24:58 +1200
Jon Callas <jon@callas.org> writes:
>On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
>> PGP Desktop 9 uses as its default an iteration count of four
>> million (!!) for its password hashing, which looks like a DoS to
>> anything that does sanity-checking of input.
>
>That's precisely what it is -- a denial of service to password crackers.
In that case why not use a billion iterations (or at least bytes of output),
that would really slow down attackers.
>In the implementation, we upped the default because of more password
>cracking, but also added a twist in it. We time the number of iterations take
>1/10 of a second on the computer you're using, and use that value. The goal
>is to have the iteration count scale as computers get faster without having
>to make software changes.
Where this falls apart completely is when there are asymmetric capabilities
across sender and receiver. Having an embedded device suspend (near) real-
time processing while it iterates away at something generated on a multicore
3GHz desktop PC isn't really an option in a production environment (the actual
diagnosis was "messages generated by PGP Desktop cause our devices to crash"
because they were triggering a deadman timer that soft-restarted them, it
wasn't until they used an implementation that sanity-checked input values that
they realised what the problem was).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
