[jdev] plaintext passwords hack
Kurt Zeilenga
Kurt.Zeilenga at Isode.com
Thu Dec 17 11:03:09 CST 2009
On Dec 17, 2009, at 7:58 AM, Simon Josefsson wrote:
> Tomasz Sterna <tomek at xiaoka.com> writes:
>
>> Dnia 2009-12-17, czw o godzinie 14:35 +0100, Simon Josefsson pisze:
>>> If you don't store the hashed password for SCRAM, you need to burn CPU
>>> time for every login to derive the SCRAM hash keys. That doesn't scale
>>> well.
>>
>> Why do you say so?
>>
>> It scales well vertically by CPU upgrade, and horizontally by putting
>> more machines/CPUs to handle user connections.
>
> Sure, but caching the hashed values scales better. Remember, we are not
> talking about just one hash call, typically there is 4096 hash
> iterations when deriving the keys from a password in SCRAM.
>
> If you do want to hash the password on every authentication with SCRAM,
> make sure you use the same salt and iteration count every time,
> otherwise clients cannot cache ClientKey&ServerKey (or SaltedPassword)
> which will cause performance problems for mobile devices...
>
> ...unless you use a very low iteration count value (e.g., 1). Is that
> what you are suggesting?
I find it interesting that large iteration counts are more a determent to the intended clients and servers of the system than a sophisticated attacker. That is, where a client and server have quite limited resources, an attacker has to viewed has a massive resources available to their disposal (at very little cost to attacker).
-- Kurt
More information about the JDev
mailing list