Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cheat sheet update/refactor proposal: Issue on the PBKDF2 iteration counter specified in the Password Storage Cheat Sheet #50

Closed
Caerostris opened this issue Mar 22, 2019 · 5 comments
Closed

Cheat sheet update/refactor proposal: Issue on the PBKDF2 iteration counter specified in the Password Storage Cheat Sheet #50

Caerostris opened this issue Mar 22, 2019 · 5 comments
Assignees
@righettod
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Milestone
Roadmap 2019

Comments

@Caerostris
Copy link

The password storage cheat sheet recommends an iteration count of 10.000 for PBKDF2 key derivation, referencing a 2012 Apple report using these numbers. I believe it should be clear that a 2012 recommendation is out of place in a current security cheat sheet.

The 2018 version of the report states that 10 million iterations are now used for iOS backups. Other reports (although not quite up to date either) mention 100.000 and 200.000 iterations.

Considering how quickly these recommendations seem to be changing at the moment, does it even make sense to include a fixed number at all?
@Caerostris Caerostris added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Mar 22, 2019
@righettod righettod added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Mar 23, 2019
@righettod righettod added this to the Roadmap 2019 milestone Mar 23, 2019
@righettod
Copy link
Member

righettod commented Mar 23, 2019
edited
Loading

Hi,

Thanks you very much for the feedback.

I agree on this. In the CS we recommand to use Argon2 as first choice (in 2019 I think it's now possible).

I think that is still necessary to add a hint about a minimal number of iteration in order to allow the CS reader to have directly usable information. But, on our side, it need to maintains this hint up to date.

I think to add a hint like this:

return [salt] + pbkdf2([salt], [credential], c=[iteration_count]);

As computation time depend on the target system,
"iteration_count" must have a number implying that the computation time 
on the target system must take at least 1 second. Like 1000.000 for example.

What do you think?

@righettod righettod changed the title Cheat sheet update/refactor proposal: Password Storage Cheat Sheet Cheat sheet update/refactor proposal: Issue on the PBKDF2 iteration counter specified in the Password Storage Cheat Sheet Mar 23, 2019
@Caerostris
Copy link
Author

This is exactly the kind of wording I was hoping for!
Giving a target computation time rather than a fixed iteration count is far less likely to become outdated in the future.

@righettod righettod self-assigned this Mar 23, 2019
@righettod
Copy link
Member

OK, thanks you very much , I update the CS in this way 😃

@Caerostris
Copy link
Author

Perfect, thanks!

@righettod
Copy link
Member

I have updated the CS, ping me if it is not OK...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@righettod righettod

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
Roadmap 2019
Development

No branches or pull requests
2 participants
@Caerostris @righettod