XML signature HMAC truncation authentication bypass
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jul 26 09:24:58 EDT 2009
Jon Callas <jon at callas.org> writes:
>On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
>> PGP Desktop 9 uses as its default an iteration count of four
>> million (!!) for its password hashing, which looks like a DoS to
>> anything that does sanity-checking of input.
>
>That's precisely what it is -- a denial of service to password crackers.
In that case why not use a billion iterations (or at least bytes of output),
that would really slow down attackers.
>In the implementation, we upped the default because of more password
>cracking, but also added a twist in it. We time the number of iterations take
>1/10 of a second on the computer you're using, and use that value. The goal
>is to have the iteration count scale as computers get faster without having
>to make software changes.
Where this falls apart completely is when there are asymmetric capabilities
across sender and receiver. Having an embedded device suspend (near) real-
time processing while it iterates away at something generated on a multicore
3GHz desktop PC isn't really an option in a production environment (the actual
diagnosis was "messages generated by PGP Desktop cause our devices to crash"
because they were triggering a deadman timer that soft-restarted them, it
wasn't until they used an implementation that sanity-checked input values that
they realised what the problem was).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list