On 04/23/2015 07:13 AM, Werner Koch wrote:
On Thu, 23 Apr 2015 02:46, coruus(_at_)gmail(_dot_)com said:
S2K with MD hashes is a horrible KDF. It is very very much worse than
PBKDF2.
Care to explain?
S2K is somehow lagging behind in considerations to prevent efficient
bruteforce :
-- Mode 0 allows to exploit time-to-memory tradeoffs (e.g. rainbow
tables) to break large amounts of passwords
-- Mode 1 adds salt, but still employs a single run of a hash function,
which is designed to be efficient, to derive the password. This allows
efficient bruteforce with just computational resources
-- Mode 3 has a maximum working factor of 255 (one octet to specify
iterations), which is both growing thin (current hash working factor are
around 1k-3k to cope with increased computational power and parallelism)
PBKDF2 is salted, and has a tunable working factor, although only
exploits computational and not memory needs to prevent efficient bruteforce.
Scrypt adds to a tunable working factor, the requirement for a tunable
amount of memory to compute the KDF.
Tuning the memory to be high enough you can hinder the bruteforce on
highly parallel architectures, as it is harder to obtain fast and large
memories than a large amount of parallel processors.
Cheers
Alessandro
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp