Hacker News new | comments | ask | show | jobs | submit login

This article doesn't feel very well done to me. He writes: "The first cipher I'd suggest you consider besides bcrypt is PBKDF2."

PBKDF2 is not a cipher. It's a KDF, and it's almost always used with an HMAC or a cryptographic hash rather than a cipher. The thesis of this article seems to be "PBKDF2 is well understood, where bcrypt is not." In fact, the opposite is probably true.

bcrypt uses a block cipher (blowfish) to create its underlying compression function. Block ciphers are extremely well understood, have been studied to death for years, and are modeled on extremely well understood constructs. They can be used to create cryptographic hash functions, but usually aren't, because they're slow (which we don't care about in this case).

Cryptographic hash functions, by contrast, are not well understood at all. They are "magic" in many ways, and aren't modeled after anything. Many more "bad things" happen in this space than in the block cipher space. The only reason people mess with them at all is because they're faster than block ciphers, which again, we don't care about in this case.

The other appeal to PBKDF2 is because it "comes from RSA." This doesn't feel like an extremely compelling argument, but if we were going to believe it, then why not use the PKCS#12 KDF? PBKDF2 was proposed in PKCS#5, and "12" is a larger number than "5", so if we're going to do what RSA tells us we should do, they're essentially saying we shouldn't actually use PBKDF2.




Ladies & Gentlemen, Moxie Marlinspike, whose comment should be heading up this whole thread.


Now I'm as much a fan of Moxie's as anybody, but I think one part of cryptography that needs to change is this tendency to excessively appeal to authority. Especially when speaking about practical issues.


So, I agree, but am happy he took the time to comment and (reasonably) concerned that his comment would be buried somewhere in the bottom third of the thread. I'm appealing to high quality comments, not authority.


HN needs a way for us to take subthreads for this kind of meta-discussion and fork them into another dimension.


These are all valid criticisms. Apologies for using "cipher" where I meant "algorithm"


Cryptographic hash functions, by contrast, are not well understood at all. They are "magic" in many ways, and aren't modeled after anything. Many more "bad things" happen in this space than in the block cipher space.

Is this a common opinion amongst practitioners? The opposite philosophy (e.g., that a random oracle is a "weaker object" than an ideal cipher) underlies some lines of work in the theoretical cryptography literature.


The two models are equivalent, in fact: http://eprint.iacr.org/2008/246

This of course says nothing about how to go about building an actual cipher/hash that withstands all kinds of cryptanalysis.

Edit: apparently not so clear, I'm told: http://arxiv.org/abs/1011.1264


A better interpretation of that paper is that it is giving an upper [edit: upper bound] on how inequivalent the models are.

Also, that paper was subsequently shown to be fatally flawed. http://arxiv.org/abs/1011.1264

Anyway, yeah, a theoretical diversion.


Yes, it's a common opinion (I quoted Schneier on it downthread).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: