From: Phillip Hellewell <phillip@hellewell.homeip.net>
To: Michael Halcrow <lkml@halcrow.us>
Cc: Phillip Susi <psusi@cfl.rr.com>,
Michael Halcrow <mhalcrow@us.ibm.com>,
akpm@osdl.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, viro@ftp.linux.org.uk,
mcthomps@us.ibm.com, yoder1@us.ibm.com, toml@us.ibm.com,
emilyr@us.ibm.com, daw@cs.ber
Subject: Re: eCryptfs Design Document
Date: Sun, 26 Mar 2006 17:05:22 -0700 [thread overview]
Message-ID: <20060327000522.GA11655@hellewell.homeip.net> (raw)
In-Reply-To: <20060326180458.GA10056@halcrow.us>
> The salt in eCryptfs is 64 bits (8 octets, per the spec of the
> iterated and salted S2K; see Section 3.6.1.3 RFC 2440). Without the
> iterated hashing, the raw dictionary generation will require storage
> on the scale of 2^64 multiplied by the size of the dictionary. I think
> this is big enough to address any attacks that involve pre-computed
> dictionaries, as you have already pointed out.
I concur with Mike. The salt is long enough to effectively thwart any
possibility of a pre-computed dictionary attack.
> The dictionary attack that I have in mind that I would like to make a
> ``bit'' harder is the dedicated attack against one particular file. If
> an attacker just wants to attack the passphrase on that file, then
> without iterated hashing, the difficulty is roughly proportional (in
> aggregate) to half size of the dictionary. If the passphrase is weak,
> then the file will likely be compromised anyway, but at least an
> iterated hash multiplies the amount of work that the dictionary
> attacker needs to do by the number of iterations.
Again I concur with Mike. Iterative hashing is a very common technique,
and is very effective against this type of dictionary attack. If you
hash 1000 times, then an attack that normally could check 1 million
passwords per second would now only be able to check 1000 passwords per
second.
Without iterative hashing, as computers get faster, so would dictionary
attacks, and then people would have to keep using longer and longer
passwords to be as effective. Iterative hashing "levels the playing
field" in a way.
> Keep in mind that, for the current release of eCryptfs, the iterated
> hashing only happens once per mount, not once per file, and so there
> is very little cost to the user, and it has at least some security
Again, I agree with Mike. The cost is extremely small, especially since
the hashing only happens once per mount. As long as we make sure that
on an average computer it takes less than a second, or make it
configurable so the user can keep it as small as they want, then I can't
see anything but good coming from an iterative hash.
Now what would be really cool is if we could auto-configure the number
of iterations so that it always ends up taking 1/10 of a second to
perform a hash. Then it will always hash a reasonable number of times
regardless of your computer speed.
Remeber, a user is not going to notice a 1/10 of a second pause when
they type in their password, but an attacker will definitely notice that
they are only able to guess 10 passwords per second!
Phillip
--
Phillip Hellewell <phillip AT hellewell.homeip.net>
next prev parent reply other threads:[~2006-03-27 0:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-24 22:25 eCryptfs Design Document Michael Halcrow
2006-03-24 23:12 ` James Morris
2006-03-27 16:17 ` Michael Thompson
2006-03-27 16:52 ` Michael Halcrow
2006-03-24 23:49 ` Andrew Morton
2006-03-25 0:13 ` Michael Halcrow
2006-03-25 0:33 ` Andrew Morton
2006-03-25 7:38 ` Miklos Szeredi
2006-03-27 23:31 ` Michael Halcrow
2006-03-28 16:00 ` Stephen C. Tweedie
2006-03-29 20:14 ` Michael Halcrow
2006-03-25 19:28 ` Phillip Susi
2006-03-25 19:50 ` Michael Halcrow
2006-03-26 17:10 ` Phillip Susi
2006-03-26 18:04 ` Michael Halcrow
2006-03-27 0:05 ` Phillip Hellewell [this message]
2006-03-27 2:53 ` Phillip Susi
2006-03-27 16:10 ` Michael Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060327000522.GA11655@hellewell.homeip.net \
--to=phillip@hellewell.homeip.net \
--cc=akpm@osdl.org \
--cc=daw@cs.ber \
--cc=emilyr@us.ibm.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkml@halcrow.us \
--cc=mcthomps@us.ibm.com \
--cc=mhalcrow@us.ibm.com \
--cc=psusi@cfl.rr.com \
--cc=toml@us.ibm.com \
--cc=viro@ftp.linux.org.uk \
--cc=yoder1@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).