[Pkg-shadow-devel] redhat patches
Peter Vrabec
pvrabec at redhat.com
Mon Nov 19 15:36:26 UTC 2007
Hi,
I asked Ulrich D. about some things that were not clear about SHA-256/512.
> Are we supposed to use "rounds=NNN" parameter in the salt string? Is it
> possible in future, that glibc change default rounds value?
The default is not going to change but the requirements will. You need
to have a way to allow the sysadmin to specify the rounds and then use
the value. Even better, allow specifying a range and choose a random
value in that range.
> I don't think that is true. IMO, the varying size adds less than one
> bit of entropy. So moving from 8 to 16 adds much more entropy.
?? Have you looked at the inner loop? In several places we are adding
a number of bytes corresponding to the length of the salt string.
> I don't think that is important though, I don't think having a fixed
> size entropy is interesting neither and having a minimum of 8 bytes
> is quite good. (shadow-utils upstream)
>
> Are we OK with 8 bytes?
I think it should be a random value from 8 to 16. This is for brute
force attacks.
More information about the Pkg-shadow-devel
mailing list