[Cryptography] encrypting bcrypt hashes
Ron Garret
ron at flownet.com
Wed Mar 8 16:26:36 EST 2017
On Mar 8, 2017, at 8:22 AM, Robin Wood <robin at digininja.org> wrote:
> We talked about storage of the encryption key and they basically said that is out of scope, don't worry about it.
Hoo boy. Then it doesn’t much matter what you tell them because, as Ray Dillinger already pointed out, this is the limiting factor.
> Talking to a friend who knows crypto, he says that the encryption should not have a negative interaction with the bcrypt hash and so adding it will slow down the process of recovering a PIN.
Not if your adversary steals the encryption key along with the hashed PINs.
> [2] 10 sec per hash works out at just over a day to brute force a 4 digit PIN if I've done my maths right.
That’s about right, but earlier you wrote:
> The encryption is fast enough to not affect login times
That made it sound like latency matters. 10 seconds is a pretty long time to make a user wait.
rg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170308/2cc989ee/attachment.html>
More information about the cryptography
mailing list