Derivation time: 0.8s Architecture: x86_64 Model name: QEMU Virtual CPU version 0.12
Derivation time: 0.9s Architecture: x86_64 Model name: Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz Derivation time: 1,3-1,6s Architecture: x86_64 Model name: Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz All used as both region and rack controllers. On Fri, Jun 2, 2017 at 5:00 AM Seth Arnold <[email protected]> wrote: > On Thu, Jun 01, 2017 at 05:46:52PM -0700, Mike Pontillo wrote: > > In doing so, I'm looking at deriving an shared key that can be used to > > encrypt network traffic between peer rack and region controllers, and > > eventually commissioned machines. The industry standard for key > derivation > > is the PBKDF2 algorithm, which makes brute force attacks to derive the > > password from the key harder (by repeatedly running a hash function). > > PBKDF2 is also fairly old; I believe most cryptographers would prefer > argon2, scrypt, or bcrypt to PBKDF2, with a grudging acceptance that if > you have to sell into the FIPS marketplace you may not have a choice. > Do we have a choice? > > We should also worry about the asymmetry of attackers vs defenders. > Hashcat on gtx1080 GPUs can crack roughly a thousand of these > million-iteration PBKDF2 per second. > > (I'm extrapolating a bit from the data easily available. This forum post > says the benchmark uses 1000 iterations: > https://hashcat.net/forum/thread-5799.html > And these results say that it can run over a million per second: > https://gist.github.com/epixoip/6ee29d5d626bd8dfe671a2d8f188b77b > https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 > So my assumption is one thousand times the work means a one thousand time > slowdown. I haven't tested these speeds myself.) > > This points out that no matter how expensive the KDF being used, > passwords such as '123456' 'monkey' etc are always terrible. It might > take the controllers one second or so to generate the key, but given a > password in the usual top-1000 list of passwords, hashcat can break it > in about the same time it took to generate it. > > Thanks > -- > Maas-devel mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/maas-devel > -- Ante Karamatić [email protected] Canonical
-- Maas-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/maas-devel
