mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: "Jan Lübbe" <jlu@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH 07/10] password: add pbkdf2 support
Date: Mon, 16 Mar 2015 12:01:14 +0100	[thread overview]
Message-ID: <20150316110114.GD26127@ns203013.ovh.net> (raw)
In-Reply-To: <1426502999.3330.35.camel@pengutronix.de>

On 11:49 Mon 16 Mar     , Jan Lübbe wrote:
> On Mo, 2015-03-16 at 11:15 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > We will use "barebox_password" as salt and 10000 round to generate a
> > 64 bytes key.
> 
> The purpose of a salt is to protect a against dictionary or
> rainbow-table (precomputed) attacks. That means that the Salt must be
> randomly generated and saved with the password.
This will be a enough stong enven with static one to protect against
reverse hack for barebox protection

Use a 32 byte pass try to do an attack agaist dictionary.
it will take you more than 10 years to break it
> 
> For setting a new password in barebox, even a low entropy salt will make
> attacks significantly more expensive. So we should add some entropy from
> user interaction timing in that case.
yes we could do this too
> 
> For hashing a password at compile time, we should get the salt from the
> host system.
yes

do we really need it?

Best Regards,
J.
> 
> Regards,
> Jan
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

  reply	other threads:[~2015-03-16 11:02 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-16 10:13 [PATCH 00/10 v3] prepare for rsa support Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15 ` [PATCH 01/10] digest: add verify callback Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 02/10] command: rename digest.c to hashsum.c Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 03/10] command: allow runtime usage Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 04/10] command: add generic digest command Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 11:49     ` Jan Lübbe
2015-03-16 14:51       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 05/10] digest: add digest callback Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 06/10] crypto: add pbkdf2 hmac key generator Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 07/10] password: add pbkdf2 support Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:49     ` Jan Lübbe
2015-03-16 11:01       ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2015-03-16 11:05         ` Jan Lübbe
2015-03-16 11:25           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 11:41             ` Jan Lübbe
2015-03-16 11:52               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 11:58                 ` Jan Lübbe
2015-03-16 12:10                   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 13:14                     ` Jan Lübbe
2015-03-16 13:55                       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 08/10] digest: allow algo to specify their length at runtime Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 09/10] crypto: hmac: use digest_digest and check the return of every digest_xxx Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:15   ` [PATCH 10/10] digest: digest_file_window: check every digest_xxx return Jean-Christophe PLAGNIOL-VILLARD

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150316110114.GD26127@ns203013.ovh.net \
    --to=plagnioj@jcrosoft.com \
    --cc=barebox@lists.infradead.org \
    --cc=jlu@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox