Menu
Having read Rob Napier's blog post on Properly Encrypting with CommonCrypto I'm still having trouble understanding why increasing the number of hashing iterations makes an attacker "waste some time".
The man page for CCKeyDerivationPBKDF describes rounds as:
The number of rounds of the Pseudo Random Algorithm to use.
Is the principle here that the attacker is attempting to break the password by going through a series of guesses but in order to turn the password into the key to see if it works they themselves have to iterate number-of-rounds times?
472
That's one principle. Another benefit is that differing numbers of rounds among potential targets makes a one-size-fits-all attack harder to work. Much like salts, diversity and added work in crypto makes attackers have to mount expensive attacks on each target. Such obstacles might deter an attacker from hitting your site: he or she notices there are much easier sites to target and moves on.
If your site is important, the reality of the situation is that the attackers usually work around crypto rather than bore through it. Bruce Schneier points out crypto is usually the strongest link. They're more likely to own your box or exploit a flaw in their web app. Once they have control, they can intercept or manipulate whatever data they want. So, it's best to just use best practice configuration for crypto and then apply most of your energy to looking for issues at application layer.
122
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
