Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 31 Aug 2014 09:32:22 +0400
From: Solar Designer <>
Subject: [openwall-announce] Energy-efficient bcrypt cracking (Passwords^14, Skytalks, WOOT '14 slides and paper); crypt_blowfish 1.3


I am being a bit late to post these, but better late than never:

1. Katja Malvoni has given 3 talks at conferences in the US earlier in
August: at PasswordsCon Las Vegas, Skytalks, and USENIX WOOT '14.  We've
also submitted an academic paper to WOOT.  All of these reflect progress
we made at the "Energy-efficient bcrypt cracking" project since last
year.  Here are the new slides, download links, and YouTube video link:

The talk video includes a live demo of bcrypt hash cracking with
modified John the Ripper on several of the energy-efficient boards.

For reference, here's last year's announcement:

New since last year are much improved results for FPGAs, in particular
for Xilinx Zynq 7020 and 7045.  The latter achieves what's probably the
highest bcrypt cracking speed per chip that has been actually
demonstrated so far (for any kind of chip, including CPUs and GPUs), as
well as the highest energy-efficiency, although indeed even higher
speeds are currently possible (e.g. on FPGAs that are bigger yet).

In particular, for bcrypt cost 5 the speed on Zynq 7045 is 20538 c/s,
and for cost 12 it is 226 c/s (higher efficiency than for cost 5).
Similarly expensive Xeon E5-2670 is 2.4x to 3.3x slower than Zynq 7045
on this test, yet consumes ~20x more power; GPUs are way behind.

The inexpensive Zynq 7020 now achieves speeds that are on par with CPUs
and GPUs, but at much greater energy efficiency.

We're going to continue the project, targeting other FPGAs and
multi-FPGA boards.

We continue to recommend use of bcrypt for now.  The bcrypt cracking
speedups and energy efficiency improvements achieved so far are very
important, but are not fatal to its continued use for a while longer.
This is a short-term recommendation.

2. I released crypt_blowfish 1.3 back in July:

Version 1.3 adds support for the $2b$ prefix introduced in OpenBSD 5.5+,
which behaves exactly the same as crypt_blowfish's $2y$ did and still
does.  This way, full compatibility with OpenBSD's bcrypt is achieved at
the new $2b$ prefix.

crypt_blowfish 1.3 is already included in Owl-current builds (including
the ISO images) made in July.

I'd like to thank the OpenBSD project for providing this avenue for us
to achieve full compatibility between the implementations despite of the
mistakes made previously.

To be more confident there is indeed full compatibility, I wrote and ran
a test suite cross-testing the two implementations, including on weird
and invalid inputs.  For the curious, it can now be found as
bcrypt-tester-1.0.tar.gz under:

although there should be no need to run it (again).

As usual, any feedback is welcome.


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ