Password hashing
Joseph Ashwood
ashwood at msn.com
Sat Oct 13 18:21:28 EDT 2007
----- Original Message -----
From: "Jim Gellman" <jim at gellman.net>
To: "Joseph Ashwood" <ashwood at msn.com>
Cc: "Cryptography" <cryptography at metzdowd.com>
Sent: Saturday, October 13, 2007 1:25 PM
Subject: Re: Password hashing
> I'm not sure I follow your notation. Are you saying that IV[n] is the
> n'th application of the compression function?
No, each application of the HMAC is seperate, this is to incur the
finalization penalty in the computation. if you want it closer to
implementation:
IV = SALT
for(n iterations)
IV = HMAC(key=IV, data=USERID||PASSWORD)
PasswordHash=IV
Why put each field in
> it's own block?
It really is to incur as many necessary performance penalties as possible.
The HMAC keying requires 2 compressions, then the USERID||PASSWORD
formatting can be created to make it consistently 2 more compressions, and a
finalization per round.
More inflation is of course possible, but I don't think it is reasonable,
too much possibility of stretching too far, giving too much leverage for an
attack on the compression function (i.e. the more times you use the
compression function the more likely a shortcut exists, but by resetting the
state such attacks become much less likely).
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list