3

I've seen that a number of key stretching algorithms and they involved increasing the number of operations needed to compute the key(i.e. the number of rounds within a hash function). But, I wonder if these approaches are more secure as they increase the number of operations needed by a constant amount not taking into account the computational resources of the device running the implementation.

Wouldn't it be more secure to have the necessary workload increase as a function of the available computing resources?

Or alternatively, without increasing the number of rounds a small challenge could be solved(i.e. guess 32-bit challenge) and incorporating it in the key?

Sebi
  • 1,391
  • 9
  • 16
  • 1
    Reducing the rounds to suit the workload has the problem that an attacker could simply instead use their own processor(s) to run the key stretching algorithm. – SilverlightFox Sep 24 '15 at 13:32
  • You generally want to protect against an attached running potentially different hardware. Just because you have little resources doesn't mean the attacker doesn't have larger ones. – user2313067 Sep 24 '15 at 14:18

1 Answers1

1

You are correct that tailoring a key stretching algorithm's strength to the available hardware resources is superior to using a fixed strength. This is actually implemented in some cases, such as the LUKS disk encryption standard, which will use approximately two seconds-worth of PBKDF2 key stretching.

Sometimes this is not possible. For example, an external storage device may be used on multiple machines with varying hardware specs. What takes two seconds on a powerful computer might take half a minute on a cheaper, lower-end system. In these cases, a fixed difficulty for key stretching is often required, using a difficulty that is low enough that low-end computers can perform the operations fairly quickly, while still being high enough to be a pain for attackers.

forest
  • 64,616
  • 20
  • 206
  • 257