On 04/06/2012 01:44 PM, Justin Erenkrantz wrote:
> On Fri, Apr 6, 2012 at 8:09 AM, Greg Hudson <ghudson_at_mit.edu> wrote:
>> I also want to caution that PBKDF2 does not provide strong protection
>> against offline dictionary attacks. Most cryptographic methods provide
>> exponential protection--I do a little bit more work to make you do twice
>> as much work. PBKDF2 provides only linear protection--I do twice as
>> much work to make you do twice as much work. It does not make
>> dictionary attacks "impossible" in the same sense that AES-128 makes
>> decryption without knowing the key "impossible".
>
> Is it worth looking at scrypt[1] instead of PBKDF2? -- justin
Possibly. It depends on whether you care about things like NIST review
(PBKDF2 is recommended in NIST SP 800-132) versus the theoretical
advantages of a less heavily scrutinized algorithm. That's always a
tough choice.
The fundamental nature of scrypt isn't different from the fundamental
nature of PBKDF2; both seek to add a fixed multiplier to the cost of
both the legitimate user and the attacker. scrypt is designed to make
it more difficult to use massively parallel hardware to mount the
attack, by requiring more memory (if I skimmed the paper correctly).
Received on 2012-04-06 21:35:17 CEST