04-16-2013, 11:12 PM
no, that's only half the issue.
the other half of the issue is that 2 blocks of hmac-sha1 are required to generate 320 bits, but only 1 block is required to validate the password. defenders have to do n*2 iterations to derive, attackers only have to do n iterations to validate.
the other half of the issue is that 2 blocks of hmac-sha1 are required to generate 320 bits, but only 1 block is required to validate the password. defenders have to do n*2 iterations to derive, attackers only have to do n iterations to validate.