excessive SHA1 calls

Love Hörnquist Åstrand lha at samba.org
Fri Nov 25 09:31:44 GMT 2005

tridge at samba.org writes:

> Love,
> I noticed this on IRC
>  > lha: its the point of it, it uses PKCS7-PDF2, and its tuneable-slow
>  > to stop password guessing
> would tuning the number of passes break interoperability with other
> implementations? If not, then I'd suggest we add a tuning option.

Yes, its tunable. But see below.

>  > Yes, its possible to cache the result of the s2k(password,enctype) on
>  > success, and invalidate it on password change.
> What are the security implications of this cache data? Do we have to
> protect the cache like a password? Sorry for the obvious questions,
> I'm just not familiar with the PKCS7 algorithms.
> If we don't have to protect the data then we should hook this into a
> general cache system. Otherwise we'd need a separate cache mechanism.

The s2k(password,enctype) have the same property as the htlm hash, its a
password equvalent. One reason the function is so slow and tunable slow is
to make dictionary attacks very expensive. So storing the
s2k(password,enctype) just next to the password is fine.

> This doesn't just affect valgrind testing btw. Imagine you have a lab
> of 500 machines and there is a power failure/reboot. At 0.4s per
> connection thats 200 seconds of CPU time just to answer negprot
> requests. Even with some skew in startup times, it's highly likely
> that some of the machines will timeout and fail to mount drives.

The cache can be resistant, in form of a keytab or some other form.

> That's whats happening with the BASE-NTDENY1 under valgrind. That
> opens 4 connections, whereas the other tests tend to open 1
> connection. Under valgrind the 4 connections is enough to make it slow
> enough that some of the clients timeout during the negprot. With 1
> connection we get away with it (and this is on a 2.4GHz dual Xeon
> server).
> Scale this up to hundreds/thousands of clients and you will get a
> really bad problem even with fast cpus.

I assume you understood hhow this works by Andrews mail, if not, I'll happy
try to explain why its not.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051125/4fac46bf/attachment.bin

More information about the samba-technical mailing list