RE: [Passwordsafe-devel] Validation flaw addressed in version 2.14
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: Rony S. <ro...@gm...> - 2005-11-25 12:16:53
|
Hi Jeff, Thanks for sharing the benchmark numbers. Indeed it would seem that 1000 SHA-1 iterations is not much of a speed bump nowadays. The question of how many iterations to use is a tradeoff between slowing down brute-force attacks and not making users wait too long on slow machines. In our context, I think the canonical "slow machine" should be considered a 200MHz HP-iPAQ PDA - this is optimistically assuming that the porting effort forthe PPC platform will succeeed (right now they're kind of stalled). This should define the upper bound of the number of iterations (N). Perhaps the lower bound should be defined by the ratio between the time it takes to run N hash iterations and the time it takes to decrypt a single block via the block cipher. I think the difference should be at least two orders of magnitude. If you (or anyone on the list) would care to do the benchmarks, I'd be very grateful. Since we're doing a compatability break, I'm considering changing the cipher and hash algorithms to twofish (mainly because of the bigger blocksize - 128 bits v.s. 64 for blowfish) and SHA-256 (mainly to get a 256 bit cipher key (v.s. 160 for SHA-1), but also to avoid the stigma associated with recent attacks on SHA-1 - although the attacks are totally irrelevant to the way SHA-1 is used in PasswordSafe). So benchmarks with these algorithms would be really useful. Cheers, Rony > > I did some quick benchmarks with SHA-1 taking a 20byte text string, > hashing it, and then repeatingly hashing the output of the hash for > 1000, 10000, and 10000 times on a few different machines to get an > idea of how long it takes. Based on my results, doing 1000 iterations > would be no problem for all but the most dated systems. More than 5 > year ago when I was at Entrust, we were hashing the profile password > 10000 times if I remember correctly. Even back then it was not a > problem for slower machines. > > Taking less than a second to authenticate to Password Safe is more > than reasonable. With SHA-1 you can easily obtain that even with > 100000 iterations. If you are going to change the database format, I > would also suggest going with a different hash algorithm like SHA-256 > while you are at it. > > > **** Pentium3 866 MHz **** > > Benchmarking 1000 SHA-1 hash iterations... > Wall Clock: 0.002444 seconds > > Benchmarking 10000 SHA-1 hash iterations... > Wall Clock: 0.024180 seconds > > Benchmarking 100000 SHA-1 hash iterations... > Wall Clock: 0.240746 seconds > > > **** Pentium4 1.4 GHz **** > > Benchmarking 1000 SHA-1 hash iterations... > Wall Clock: 0.003000 seconds > > Benchmarking 10000 SHA-1 hash iterations... > Wall Clock: 0.017000 seconds > > Benchmarking 100000 SHA-1 hash iterations... > Wall Clock: 0.161000 seconds > > > **** Pentium4 3.0 GHz **** > > Benchmarking 1000 SHA-1 hash iterations... > Wall Clock: 0.000871 seconds > > Benchmarking 10000 SHA-1 hash iterations... > Wall Clock: 0.008133 seconds > > Benchmarking 100000 SHA-1 hash iterations... > Wall Clock: 0.088049 seconds > > > Jeff. > > |