[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security

To: Sam Hartman <hartmans-ietf@xxxxxxx>, Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Subject: RE: Security
From: Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Aug 2008 11:39:51 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ietf-sasl@xxxxxxx" <ietf-sasl@xxxxxxx>
In-reply-to: <tsl7iakhk9v.fsf@xxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <tslej4thudg.fsf@xxxxxxx> <g7v27j$8ti$1@xxxxxxxxxxxxx> <tsl7iakhk9v.fsf@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
Thread-index: Acj9cLM0cq+ZPA0CS/aJvHNJRpLVLAAAqinQ
Thread-topic: Security

Again I agree with Sam. String-to-key functions that allow attackers to make 10s of millions of password guesses per second on a single PC are definitely not where the world is at today.
Use of iterated hashes to make computation of the key from the password take a few hundred milliseconds really makes a difference -- that's what PBKDF2 does.

-----Original Message-----
From: owner-ietf-sasl@xxxxxxxxxxxx [mailto:owner-ietf-sasl@xxxxxxxxxxxx] On Behalf Of Sam Hartman
Sent: Wednesday, August 13, 2008 10:56 AM
To: Frank Ellermann
Cc: ietf-sasl@xxxxxxx
Subject: Re: Security

My problem is not with HMAC, but with the lack of PBKDF2.  Note that I
am acting on my proposals by contributing to scram.

Follow-Ups:
- Re: Security
  - From: Frank Ellermann

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman
- Re: Security
  - From: Frank Ellermann
- Re: Security
  - From: Sam Hartman

Prev by Date: Re: Security
Next by Date: Re: Security
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread