[cryptography] PBKDF2 + current GPU or ASIC farms = game over for passwords (Re: TLS2)

Adam Back adam at cypherspace.org
Mon Sep 30 15:22:42 EDT 2013


On Mon, Sep 30, 2013 at 07:41:20PM +0100, Wasa wrote:
>>The only attack is on the PBKDF2 stored on the server (or malware to grab
>>the password on the client)
>
>right. I was think SRP/JPAKE where the server does not store 
>PBKDF2(salt,pwd) server-side, but rather it stores something like 
>g^{PBKDF2(pwd)}. If I break into server and get hold of all 
>g^{PBKDF2(pwd_i)}, can I parallelize the DL part?

Well ok, this IRTF draft I was coincidentally just reading claims to be
marginally more efficient than SRP

https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake/?include_text=1

and has a verifier of that form.

You could parallelize it somewhat at a micro level but I dont think you need
to because you can just try lots of passwords in parallel against the same
verifier.

>Because I think one of the claims of SRP and JPAKE is not only to be 
>resistant to passive/active sniffing followed by offline brute-force, 
>but also to be more resistant against server compromise.

No I do not think that is true.  And I noticed the IRTF draft above's
security comments section confirms, it explicitly states that all it can
offer in the event of server compromise is that the attacker has to brute
force the PBKDF (aka function H in their terminology).  (Actually that is
why I bothered to read the draft because of their title/abstract I wondered
if they had claimed to do better against server compromise and if so how as
that is beyond the state of the art AFAIK; turns out they are the same as
SRP etc).

>Idea?
>
>If it turns out to be difficult to parallelize the brute-force, why 
>not move towards this? It would be an incremental improvement more 
>likely to be widely-accepted than brand-new schemes. JPAKE is a bit 
>slow I presume (given the number of required rounds), SRP is not and 
>the patent expires soon (if memory serves).

I think SRP is not patented, and in fact is designed to be free from
reliance on any pre-existing patent details.  There were some EKE patents 
but coincidentally the AKE version just expired last month.  Nice timing.

Adam


More information about the cryptography mailing list