excessive SHA1 calls
Andrew Bartlett
abartlet at samba.org
Fri Nov 25 00:20:49 GMT 2005
On Fri, 2005-11-25 at 11:19 +1100, tridge at samba.org wrote:
> Love,
>
> I noticed this on IRC
>
> > lha: its the point of it, it uses PKCS7-PDF2, and its tuneable-slow
> > to stop password guessing
>
> would tuning the number of passes break interoperability with other
> implementations? If not, then I'd suggest we add a tuning option.
>
> > Yes, its possible to cache the result of the s2k(password,enctype) on
> > success, and invalidate it on password change.
>
> What are the security implications of this cache data? Do we have to
> protect the cache like a password? Sorry for the obvious questions,
> I'm just not familiar with the PKCS7 algorithms.
>
> If we don't have to protect the data then we should hook this into a
> general cache system. Otherwise we'd need a separate cache mechanism.
I think I just need to store it in the secrets.ldb along with the
password, or make a real keytab, and reference that in the secrets.ldb.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051125/844123d5/attachment.bin
More information about the samba-technical
mailing list