XML signature HMAC truncation authentication bypass
Jon Callas
jon at callas.org
Mon Jul 20 20:15:25 EDT 2009
On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
> PGP Desktop 9 uses as its default an iteration count of four
> million (!!) for its password hashing, which looks like a DoS to
> anything that
> does sanity-checking of input.
That's precisely what it is -- a denial of service to password crackers.
There are a couple of things I'll add, one in the OpenPGP standard,
and one in that implementation.
In the standard, the iteration count is not a count of hash iterations
as in (e.g.) PKCS#5, but a length of output. So four million is four
million bytes of output. For SHA-1, that's a count of 200,000, and for
SHA-256 125,000 iterations. While this is a bit eccentric, it allows
you to use any size hash and any block size cipher. Even more
eccentric is the way it's encoded, as an 8-bit floating point value.
In the implementation, we upped the default because of more password
cracking, but also added a twist in it. We time the number of
iterations take 1/10 of a second on the computer you're using, and use
that value. The goal is to have the iteration count scale as computers
get faster without having to make software changes.
The downsides of this are left as an exercise for the reader (as are
the obvious workarounds).
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list