This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed

From: "bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 06 Feb 2014 17:30:45 +0000
Subject: [Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
Auto-submitted: auto-generated
References: <bug-16522-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=16522

--- Comment #8 from Rich Felker <bugdal at aerifal dot cx> ---
No, what I'm objecting to is entirely making the behavior of this function
dependent on the cpu speed on which it runs. I consider that bad practice
(non-determinism) and also an invalid assumption (that the cpu the hash is
generated on will have any relation to the cpu it's later verified on). Tuning
this via run time rather than raw cpu speed would be even worse, since an
attacker could artificially load the cpu to increase run time and thereby
control the rounds parameter.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug libc/16522] New: On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
  - From: jasa.david at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]