This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- From: "bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 06 Feb 2014 17:30:45 +0000
- Subject: [Bug libc/16522] On sha* password generation, select hash rounds to achieve given computation time based on hash computation speed
- Auto-submitted: auto-generated
- References: <bug-16522-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=16522
--- Comment #8 from Rich Felker <bugdal at aerifal dot cx> ---
No, what I'm objecting to is entirely making the behavior of this function
dependent on the cpu speed on which it runs. I consider that bad practice
(non-determinism) and also an invalid assumption (that the cpu the hash is
generated on will have any relation to the cpu it's later verified on). Tuning
this via run time rather than raw cpu speed would be even worse, since an
attacker could artificially load the cpu to increase run time and thereby
control the rounds parameter.
--
You are receiving this mail because:
You are on the CC list for the bug.