Jon Callas wrote:
My opinion is that bcrypt is a fine replacement for crypt, but either PBKDF2
or the OpenPGP generator are in my opinion at least as good. They all date
from about the same period. I also argue that you're better off starting with
a hash function than whacking Blowfish into a one-way function. Really, I
trust the security SHA2 a lot more than I trust Eskblowfish.
I estimated bcrypt as being a couple bits stronger against hardware attack than
PBKDF2, largely due to the large look-up tables blowfish uses, but I don't think
that's enough to justify using something non-standard. Also, bcrypt only uses
55 bytes of passphrase, which could be a problem for passphrases with very low
entropy per character.
I also think that scrypt is going in the wrong direction. Yeah, sure, it's
chewing up memory as well as CPU time, but that's not a feature, it's a bug.
It means you have to be careful deploying it in a limited environment and
that includes virtual machines. It's gilding the lily.
If you're concerned about attackers armed with custom hardware, chewing up RAM
is definitely a feature. Note that it is quite simple to compute scrypt using
less RAM subject to [RAM size] * [CPU time] remaining constant. (My published
library code doesn't do this, but if someone is interested I'd be happy to write
the necessary bits.)
If you don't think you're ever going to want to keep secrets from governments,
sure, PBKDF2 is fine.
To see how well the existing system does, go to:
http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html
http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
and read them.
The summary is that they set out to crack a PGP Zip file (which is nothing
more than a .tar.pgp file) with Amazon EC2 and the CPU cost for brute-forcing
a 12-character, lowercase-only password is $1.5 million.
Sure, but the security of a cryptosystem is determined by the *cheapest* attack
against it, not the *most expensive* attack against it. Cloud computing is not
the cheapest way of attacking a KDF.
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid