apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Choosing a stronger password hash algorithm
Date Sat, 23 Jun 2012 20:42:42 GMT
On Thursday 21 June 2012, Ben Laurie wrote:
> Then the question is: what scheme? Here are some design criteria I
> think would be useful.
> 1. Use something from the SHA-2 family - SHA-512 would seem fine to
> me.

The sha message digests are designed to be fast and to be easily 
implemented in hardware. In general, the speed-up when going from 
general purpose CPU implementations to parallel implementations using 
GPU or specialized hardware seems to be relatively high. Therefore I 
think what is generally used as sha256_crypt or sha512_crypt is not 
the optimal choice. [1] has some thoughts about choosing a password 
hashing algorithm. 

> 2. Use a very large salt - disk space is not at a premium for
> password stores!

Agreed. 64bit should be absolute minimum, more would be better.

> 3. Use quite a lot of rounds,.

The number should be configurable so that we can adjust the cost 
without breaking backward compatibility.

> 4. Use something that is hard to optimise in hardware (ideally).

bcrypt [1] and scrypt [2] seem to be much more difficult to port to 
hardware or GPUs than sha256/512_crypt [3-5]. We can't make the 
operation too expensive on normal CPUs or we create a DoS problem if 
someone does lots of requests with wrong passwords. Therefore I think 
choosing an algorithm that does not scale well on more specialized 
hardware is good.

Both bcrypt and scrypt can be adjusted in how much CPU time to use. 
scrypt can also be adjusted in how much RAM it uses. bcrypt uses a 
128bit salt, AFAICS scrypt can use arbitrary salt lengths.

Bcrypt has seen a lot more review than scrypt, therefore I am somewhat 
in favor of bcrypt. Crypt_blowfish [6] is an implementation with a 
very liberal license that we could use. Scrypt has a 2-clause BSD 
license which would also be OK.



[1] http://static.usenix.org/event/usenix99/provos.html
[2] http://www.tarsnap.com/scrypt.html
[3] http://stackoverflow.com/a/6807375
[4] http://www.openwall.com/lists/john-dev/2012/05/14/1
[5] http://www.openwall.com/lists/john-dev/2012/05/14/4
[6] http://www.openwall.com/crypt/

View raw message