On Dec 26, 2013, at 8:09 PM, Bill Cox wrote:
> .... If we use a memory hard KDF that hashes 4 GB with RNG data on our PCs
> in 1 second....
OK, so now we've moved from abstraction to a concrete proposal.
And just who would use such a KDF? Tying up 4GB for a second is a very
expensive proposition on a server. People have to manage thousands of logins a
second, so you're talking about devoting Terabytes of main memory - not disk or
SSD - *just to logins*.
You've suggested doing the KDF computation on the client. How many clients
have 4GB of free memory? I've got a laptop with 8GB of memory. WHen in active
use, it never has even 2GB free. Maybe my laptop can do the computation - but
it will take a while because it'll have to swap stuff out. (And of course then
they'll have to swap it back in.) I see this happen periodically when I've got
a bit too much stuff running, and it ain't pretty. Hardly any user would be
willing to accept the performance loss.
As for portable devices - I'm not sure any of the actually *have* 4GB of RAM in
total. And the power costs of pegging the CPU for a second are non-trivial,
too. So basically you're writing them all off.
The parameters you've suggested basically limit secure communication to someone
with the NSA's resources. :-)
-- Jerry
