Marsh Ray wrote:
On 4/23/2010 12:12 PM, Nicolas Williams wrote:
Irrelevant: if the random octets being sent don't add entropy (because
they are sent in cleartext) then this extension is completely orthogonal
to PRNG failures.
Even though they are sent in-the-clear, the random data do serve the
same useful purpose as the existing [cs]_random data.
(Mathemeticians and professional cryptographers should probably avert
their eyes from the fast-and-loose reasoning which follows.)
Because they are unpredictable they make offline precomputation harder.
I think of it as adding entropy into offline computation, without adding
any to the online computation.
This data does add the exact same workfactor to the rightful user
than it adds to each of the attackers brute force attempts.
When you look at the two things that are done to raise the
work factor on password based encryption: random salts and
iteration count, then this data is equivalent to the
random salt.
The advantage of the random salt over the iteration count is,
that it thwarts the creation of "rainbow tables", i.e. attacks
aided by precomputed data. The disadvantage is that it requires
persisting or exchanging more data (the random salt).
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf