[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

Jeffrey Goldberg jeffrey at goldmark.org
Fri Mar 13 14:29:58 EDT 2015


On Mar 13, 2015, at 8:43 AM, Solar Designer <solar at openwall.com> wrote:

> On Thu, Mar 12, 2015 at 10:57:47AM -0600, Jeffrey Goldberg wrote:
>> 2. Use SHA-512 in PBKDF2
>> 
>> This will make PBKDF2 resistant to GPU based cracking efforts.
>> Note that this is resistance to attacks using current, off-the-shelf, 
>> hardware. It is only a short term solution.
> 
> I think this wording is too strong.  While I did and I continue to
> advocate SHA-512 over SHA-256 for this reason (when someone insists on
> PBKDF2 or the like anyway), the gap with recent attack implementations
> is narrower than it used to be.

Ah, so the term of this “short term solution” is already expiring.

> For sha512crypt vs. sha256crypt, it's
> down to ~2x:
> 
> https://hashcat.net/misc/p130_img/changes_v130.png

Interesting. Thank you for that, Solar.

> And scrypt even at fairly low settings is likely somewhat stronger (or
> rather not-as-weak) against GPU attacks than PBKDF2-HMAC-SHA-512 at
> comparable low running time.  Not at settings as low as Litecoin's 128 KB
> with r=1, but at settings like 2 MB with r=8, which is affordable in
> JavaScript.

OK. So I guess we return to the original question, does anyone know of
an scrypt implementation in JavaScript?

> BTW, given the wide availability of scrypt altcoin ASICs, some of which
> can handle higher N (this is known) but likely not higher r (this is a
> plausible guess, given the incentive model for those ASICs), and given
> the effect r has on scrypt speeds on GPU, I recommend that scrypt
> paper's recommended r=8 (rather than altcoins' typical r=1) be used.
> That's even when the original reason for using r=8 (reducing the
> frequency and thus performance impact of TLB misses, and allowing for
> some prefetching) does not apply, like it mostly does not with
> JavaScript.

Thanks!
> 
> (Of course, someone may produce more capable scrypt ASICs.)


Indeed. As I said, in this race the attacker has more to gain from Moore’s
Law than the defender.

Cheers,

-j


More information about the cryptography mailing list