At that time, the threat was custom ASIC with very low gate counts.
BCRYPT HASH PC
Even with the same PC as the honest system, an attacker can use bitslicing to try several passwords in parallel and get a boost out of it, because the attacker has several passwords to try, while the honest system has only one at a time. Which shows that the hardware and the way it can be used is important.
BCRYPT HASH PASSWORD
While bitslicing won't help anyone log in faster, it offers a staggering speedup to brute force password searches.
BCRYPT HASH SOFTWARE
Unfortunately, Biham later discovered a software technique known as bitslicing that eliminates the cost of bit transpositions in computing many simultaneous DES encryptions. They discounted hardware attacks, in part because crypt cannot be calculated with stock DES hardware. They based crypt on DES, a particularly inefficient algorithm to implement in software because of many bit transpositions. The designers of crypt failed to do this. That means one should make any password function as efficient as possible for the setting in which it will operate. They note in their article the following: The designers of bcrypt were quite aware of the issue, which is why they designed bcrypt out of the block cipher Blowfish and not a SHA-* function. Thus, the boost that an attacker can get from using GPU is quite reduced, compared to what the attacker gets with PBKDF2 or similar designs. This is very fast on a PC, much less so on a GPU, where memory is shared and all cores compete for control of the internal memory bus. Hence, an attacker with 500$ worth of GPU will be able to "try" many more passwords per hour than what he could do with 500$ worth of PC (the ratio depends on the type of GPU, but a 10x or 20x ratio would be typical).īcrypt happens to heavily rely on accesses to a table which is constantly altered throughout the algorithm execution. SHA-256, for instance, can be very efficiently implemented on a GPU, since it uses only 32-bit logic and arithmetic operations that GPU are very good at. In particular, an industrious attacker may want to use a GPU or a FPGA. What we want to avoid is that an attacker might use some non-PC hardware which would allow him to suffer less than us from the extra work implied by bcrypt or PBKDF2. We then adjust N so as not to exceed our resources (foremost of which being the user's patience, which is really limited). "a PC") which are also available to the attacker, the best that we can hope for is to make password hashing N times slower for both the attacker and for us. Since "honest systems" tend to use off-the-shelf generic hardware (i.e. To be precise, we want the password hashing function to be as slow as possible for the attacker while not being intolerably slow for the honest systems. Bcrypt is a password hashing function which aims at being slow. If you look at the situation in details, you can actually see some points where bcrypt is better than, say, PBKDF2. Why bcrypt is somewhat better than PBKDF2 Bcrypt has the best kind of repute that can be achieved for a cryptographic algorithm: it has been around for quite some time, used quite widely, "attracted attention", and yet remains unbroken to date.
0 kommentar(er)
