Date: Sat, 10 Aug 2013 23:30:14 +0200 From: Katja Malvoni <kmalvoni@...il.com> To: john-dev@...ts.openwall.com Subject: Re: Parallella: bcrypt Hi Alexander, On Sat, Aug 10, 2013 at 2:48 PM, Solar Designer <solar@...nwall.com> wrote: > Here's further advice on this: use $2a$00 hashes - that is, with only > one iteration of the (otherwise) most costly loop. These are not > exactly valid bcrypt hashes (the original implementation imposes a > minimum of 04 for the cost setting), yet you may use them for quicker > testing, as well as to stress-test the host-Epiphany communication. > I did that and I can't make it fail... I used http://git.musl-libc.org/cgit/musl/plain/src/crypt/crypt_blowfish.c to generate $2a$00 hashes (removed self test and commented out "if (setting != '$' || ... || setting != '$') return NULL;" in BF_crypt()). I generated 5 million random strings, read one by one and called BF_crypt() with setting "$2a$00$XXXXXXXXXXXXXXXXXXXXXO". Than wrote string and hash in new file. I used that file to compute and check hashes on Parallella. I modified parallella_bf_fmt.c (added main, removed get_hash, get_binary and cmp functions, removed valid function) and used same Epiphany code as in JtR. In main, file that contains strings and hashes is read line by line. 64 lines are read (32 keys and 32 hashes), keys are set and crypt_all is called. After that, BF_decode() is used on 32 correct hashes (generated using crypt_blowfish.c) so that correct hashes can be compared with hashes computed by Epiphany. Only one salt is used for all hashes and first 64 bits are checked as in JtR. I also tried keys longer than 72, it didn't fail. And I tried with 800000 hashes and other shorter tests, it passed all of them. Except those, I also did tests using $2a$04$ hashes generated with http://pythonhosted.org/passlib/lib/passlib.hash.bcrypt.html. Most of tests were short, longest one had 80000 hashes. In this case all salts were different and same hash was computed on every Epiphany core to check whether all cores return same result. Since it haven't failed yet, I guess I'm not testing it like I should. Katja Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.