Date: Tue, 21 Aug 2012 16:15:23 +0200 From: Patrick Mylund Nielsen <cryptography@...rickmylund.com> To: john-users@...ts.openwall.com Subject: Re: Arstechnica Password article (feat. Matt Weir) That article, IMO, wrongly implies that SRP is somehow inferior to key derivation functions, when in fact they serve two different purposes: protection against network eaves-dropping vs. resistance to offline attacks on the verifiers/digests. There is no reason why Blizzard can't use a KDF client-side with a proof like SRP for even better security. On Tue, Aug 21, 2012 at 4:11 PM, Solar Designer <solar@...nwall.com> wrote: > On Tue, Aug 21, 2012 at 09:36:16AM -0400, Rich Rumble wrote: > > http://arstechnica.com/security/2012/08/passwords-under-assault/ > > Good article, no mention of Jtr :( or it's incremental and other > > modes, rather focus on GPU cracking using HashCat mostly; some other > > tools mentioned as well. Also I had no idea we were actually going to > > be up against the Erebus system (http://ob-security.info/?p=546)in the > > contest, but I guess I should of known :) > > While I wish JtR and all it's abilities (GPU included), the article is > > accurate as far as I can tell. > > There are some minor inaccuracies. > > Anyhow, if you post these, here's another recent article by Dan: > > > http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/ > > which actually includes references to JtR in the SRP cracking context. > > For those not on john-dev: JimF has since actually implemented > Blizzard's SRP cracking in JtR - and we're getting speeds up to about > 400k c/s per CPU chip - but we have yet to see any of the presumably > leaked SRP verifiers, so we don't know if the code would work on them > as-is or would need some additional tweaking. On FX-8120: > > Benchmarking: WoW (Battlenet) SRP sha1 [32/64 GMP-exp]... (8xOMP) DONE > Raw: 395264 c/s real, 49408 c/s virtual > > Alexander >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.