[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorit
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm |
|
Date: |
Fri, 5 Feb 2016 09:23:43 +0000 |
|
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Thu, Feb 04, 2016 at 03:14:10PM -0700, Eric Blake wrote:
> On 01/20/2016 10:38 AM, Daniel P. Berrange wrote:
> > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> > + const uint8_t *key, size_t nkey,
> > + const uint8_t *salt, size_t nsalt,
> > + unsigned int iterations,
> > + uint8_t *out, size_t nout,
> > + Error **errp);
> > +
> > +/**
> > + * qcrypto_pbkdf2_count_iters:
> > + * @hash: the hash algorithm to use
> > + * @key: the user password / key
> > + * @nkey: the length of @key in bytes
> > + * @salt: a random salt
> > + * @nsalt: length of @salt in bytes
> > + * @errp: pointer to a NULL-initialized error object
> > + *
> > + * Time the PBKDF2 algorithm to determine how many
> > + * iterations are required to derive an encryption
> > + * key from a user password provided in @key in 1
> > + * second of compute time. The result of this can
> > + * be used as a the @iterations parameter of a later
> > + * call to qcrypto_pbkdf2().
>
> As machines get faster, will 2^31 still be enough, or do we want a
> 64-bit iterations counter?
The luks format only has space to store a 32-bit int for interations,
so 64-bit would require an on disk format change. On my current modern
laptop we're getting iteration counts in the 400,000 range, so it will
be a decent while before we hit 2^31, by which time LUKS maintainers
will have to do a format change.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|