04-16-2013, 09:58 PM
(04-16-2013, 06:24 PM)jpgoldberg Wrote: I don't want to quibble about the meaning of the word "flaw",With the help of time and discussions on Twitter, I see that yes there is a design flaw in the Agile Keychain key derivation that give the attacker a 1 bit advantage. I hadn't fully understand what atom was getting at. We use two PBKDF2 derivations (one for the IV the other for the key) and both will be needed to unlock the file.
But if your interest is only in verifying a password, you don't need to use the derivation for the key. So as Marsh Ray explained it to me on Twitter
Quote:@jpgoldberg @hashcat @solardiz @jmgosney Defender must derive 2 blocks PBKDF2 (320 bits) but attkr can verify guess on only 1 block 160 bits
So OK. I get it now. It is a 1 bit flaw, but it is a flaw none-the-less.
The remarkable cracking speeds you have are far more due to what you've done with SHA1 in GPUs, but there is this design flaw as well.