Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120805030959.GG12928@openwall.com>
Date: Sun, 5 Aug 2012 07:09:59 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: 1Password blog post about Dhiru's new/forthcoming 1Password module

Hi Jeffrey,

On Tue, Jul 31, 2012 at 11:45:50AM -0500, Jeffrey Goldberg wrote:
> I just published a blog post for 1Password users about the new/forthcoming developments in JtR, once again exhorting them to use strong master passwords. It is here
> 
>    http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/
> 
> If you see any egregious errors, please let me know.
> 
> And congratulations. I'm pleased that it was the JtR community that got here first. I have a lot of respect for Elcomsoft, and I really thought that they would be the first to publicly release a tool for 1Password cracking/recovery. But I'm glad it was you folk.

I am impressed by the way you handled this.  Thank you!

This is not an error in your blog post, but JFYI I think that
Elcomsoft's speed estimates were "more correct" than what Dhiru obtained
so far.  Sure, Dhiru's code is what actually exists and works now, but
that code does not use SIMD yet.  So a speedup on CPUs (maybe 4x) is
expected when/if someone (on our team or not) implements that.  On the
other hand, Dhiru's guesstimate of 100x speedup with GPUs was relative
to one CPU core.

To get more accurate numbers for PBKDF2-HMAC-SHA-1 speeds with more
optimal code, you may look at the speeds JtR is getting at MSCash2
(DCC2).  This is PBKDF2-HMAC-SHA-1 with 10240 iterations (thus 20480
SHA-1's are computed).  JtR achieves about 5350 c/s at it on FX-8120 CPU
running an OpenMP-enabled build (or about 1600 c/s on one core in that
same CPU - higher clock rate due to turbo).  It achieves about 100k c/s
on HD 7970.  Now you may take these numbers and scale them to your
desired iteration counts.  However, you may need to halve them if the
derived keys are wider than 160 bits (there are twice more SHA-1's per
PBKDF2 iteration then - e.g., 40960 for 10240 iterations then).

Dhiru's code for 1Password appears to always generate 256-bit AES keys.
Is this the key size you actually use?  Always?  If not, then there's
room for a 2x speedup when the AES key is 128 bits (fits in 160).

Also, per Elcomsoft's slides, some older versions of 1Password did not
use PBKDF2 yet (but used simple MD5 instead).  Is this true?  Can you
provide more info on this (what versions, when they were released)?

Thanks again,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.