Request for feedback: how slow is your slowest MAAS cloud?

Ante Karamatić ante.karamatic at canonical.com
Fri Jun 2 07:54:16 UTC 2017 

Derivation time: 0.8s
Architecture:          x86_64
Model name:            QEMU Virtual CPU version 0.12

Derivation time: 0.9s
Architecture:          x86_64
Model name:            Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz

Derivation time: 1,3-1,6s
Architecture:          x86_64
Model name:            Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz

All used as both region and rack controllers.

On Fri, Jun 2, 2017 at 5:00 AM Seth Arnold <seth.arnold at canonical.com>
wrote:

> On Thu, Jun 01, 2017 at 05:46:52PM -0700, Mike Pontillo wrote:
> >    In doing so, I'm looking at deriving an shared key that can be used to
> > encrypt network traffic between peer rack and region controllers, and
> > eventually commissioned machines. The industry standard for key
> derivation
> > is the PBKDF2 algorithm, which makes brute force attacks to derive the
> > password from the key harder (by repeatedly running a hash function).
>
> PBKDF2 is also fairly old; I believe most cryptographers would prefer
> argon2, scrypt, or bcrypt to PBKDF2, with a grudging acceptance that if
> you have to sell into the FIPS marketplace you may not have a choice.
> Do we have a choice?
>
> We should also worry about the asymmetry of attackers vs defenders.
> Hashcat on gtx1080 GPUs can crack roughly a thousand of these
> million-iteration PBKDF2 per second.
>
> (I'm extrapolating a bit from the data easily available. This forum post
> says the benchmark uses 1000 iterations:
> https://hashcat.net/forum/thread-5799.html
> And these results say that it can run over a million per second:
> https://gist.github.com/epixoip/6ee29d5d626bd8dfe671a2d8f188b77b
> https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
> So my assumption is one thousand times the work means a one thousand time
> slowdown. I haven't tested these speeds myself.)
>
> This points out that no matter how expensive the KDF being used,
> passwords such as '123456' 'monkey' etc are always terrible. It might
> take the controllers one second or so to generate the key, but given a
> password in the usual top-1000 list of passwords, hashcat can break it
> in about the same time it took to generate it.
>
> Thanks
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
>
-- 
Ante Karamatić
ante.karamatic at canonical.com
Canonical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20170602/6bf44bce/attachment-0001.html>

More information about the Maas-devel mailing list