Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Sep 2012 00:46:54 -0700
From: Colin Percival <>
CC: Solar Designer <>
Subject: Re: using scrypt for user authentication

On 09/09/12 18:24, Solar Designer wrote:
> On Sun, Sep 09, 2012 at 05:52:12PM -0700, Colin Percival wrote:
>> What sort of authentication servers are you running where you only have
>> 1 MB of RAM per CPU core?
> Not per CPU core, but maybe per concurrent authentication attempt - if
> concurrency is not limited.  If we simply introduce scrypt as a
> supported crypt(3) flavor in an OS, then its memory usage needs to be
> sane in the event of occasional spikes in concurrent authentication
> attempts, including on rather small systems (e.g., 256 MB RAM VPSes).

If you're seeing enough concurrent authentication attempts that using
16 MB for each of them comes close to eating up your 256 MB of RAM, odds
are that they're simply never going to finish due to CPU utilization

> A solution to this could be limiting concurrency - perhaps to the number
> of CPU cores, as you suggest.  I mentioned some approaches to this here:
> I'd appreciate your comments on this.
> For dedicated authentication servers at some specific organization, it
> can be a custom interface, so limiting the concurrency is easier - and
> much larger amounts of RAM may be used anyway.

I admit that I haven't given much thought to the details of integrating
scrypt into crypt(3), beyond noting that the "100 ms" parameters yield a
memory usage of 16 MB which seems unlikely to impose an excessive strain
on many systems.

The case which interests me more is the large websites which make a habit
of leaking millions of hashed passwords, and I would expect them to set
up internal scrypt-computation services.

>>> We might also want to have a tradeoff-defeating variation of scrypt, as
>>> Anthony Ferrara suggested or otherwise.  It appears that this would make
>>> scrypt maybe a factor of 2 more resistant to attacks with current GPUs
>>> at Litecoin's low settings and perhaps a lot more at bigger settings
>>> (where the total GPU card's RAM size is more easily hit if the tradeoff
>>> is not used in an attack).  Maybe this property should be configurable
>>> (a Boolean parameter, to be encoded along with the resulting encrypted
>>> data or password hash).
>> This seems like an attempt to patch over the problem of "scrypt not being
>> used as intended".
> I am not proposing this as an alternative to using larger memory sizes
> (as intended).  I am proposing it for use along with scrypt's intended
> settings.  Due to the tradeoff, GPUs may be potentially reasonably
> usable for attacking scrypt even with large memory settings.  If a user
> of scrypt (e.g., a sysadmin) doesn't expect to need to crack scrypt on
> GPUs (and most won't), the user will be able to turn the knob and make
> scrypt more GPU-unfriendly.  Note that since GPUs are only efficient
> when a lot of parallelism is available, they're likely not reasonably
> usable for defensive scrypt computation anyway (unless "p" is set very
> high in advance).

Point taken... although one supposes that a GPU might be a solution to your
hypothesized denial-of-service attack problem. :-)

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | | Online backups for the truly paranoid

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.