Next: Conclusion
Up: Secure Storage
Previous: Secure Storage
Increasing computational power makes the use of cryptography to
further system security more feasible and allows for more tuneable
security parameters such as public key length. However, one security
parameter - the length and entropy of user-chosen passwords - does not
scale at all with computing power. Many systems still require
user-chosen secret passwords which are hashed to keep them secret.
When the UNIX password hash crypt(3) was introduced in 1976, it
could not hash more than four passwords per second. With increasingly
more powerful attackers it is common to compute more than 200,000
password hashes per second. In OpenBSD we use the bcrypt
algorithm to make the cost of password hashing parameterizable. Its
design makes it hard to optimize bcrypt's execution speed or use
commodity hardware instead of software. bcrypt uses a 128-bit
salt and encrypts a 192-bit magic value. It takes advantage of the
fact that the Blowfish algorithm (used in the core of bcrypt for
password hashing) needs a fairly expensive key setup, thus
considerably slowing down dictionary-based attacks. bcrypt uses
the arc4random(3) interface for password salt-generation. A
comparison between this approach and the mechanism used in certain
other Unix systems for generating salts has shown that while
arc4random(3) behaved extremely close to the statistical theoretical
expectations; in contrast, other systems produced large numbers of
collisions, making dictionary attacks faster.
A special configuration file, passwd.conf(5), is used to
determine which type of password scheme is used for a given user or
group. It is possible to use different password schemes for local or
YP passwords. For bcrypt, the number of rounds is also included.
This facilitates adapting the password verification time to increasing
processor speed. Currently, the default number of rounds for a normal
user is 26, and 28 for ``root.'' bcrypt is used in OpenBSD
as the default password scheme since version 2.1. For more details,
see [33].
Next: Conclusion
Up: Secure Storage
Previous: Secure Storage
& D. Keromytis
4/26/1999