Marsh Ray wrote: > > On 4/23/2010 12:12 PM, Nicolas Williams wrote: > > > > Irrelevant: if the random octets being sent don't add entropy (because > > they are sent in cleartext) then this extension is completely orthogonal > > to PRNG failures. > > Even though they are sent in-the-clear, the random data do serve the > same useful purpose as the existing [cs]_random data. > > (Mathemeticians and professional cryptographers should probably avert > their eyes from the fast-and-loose reasoning which follows.) > > Because they are unpredictable they make offline precomputation harder. > I think of it as adding entropy into offline computation, without adding > any to the online computation. This data does add the exact same workfactor to the rightful user than it adds to each of the attackers brute force attempts. When you look at the two things that are done to raise the work factor on password based encryption: random salts and iteration count, then this data is equivalent to the random salt. The advantage of the random salt over the iteration count is, that it thwarts the creation of "rainbow tables", i.e. attacks aided by precomputed data. The disadvantage is that it requires persisting or exchanging more data (the random salt). -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf