python passlib:“rounds”的最佳值是多少? [英] python passlib: what is the best value for "rounds"
问题描述
对于大多数面向公众的服务,您通常可以在250ms到400ms之间登录,之后用户开始懊恼。
所以在登录/注册中, round 的最佳值是多少我们认为登录尝试有一个数据库调用,并且使用 MongoDB 与非阻塞调用。 (使用 Mongotor ,并使用电子邮件作为 _id ,所以默认情况下是 indexed ,查询速度很快: 0.00299978256226 ,当然还有一个具有 3个记录的数据库 ... )
import passlib.hash/ pre>
import time
hashh = passlib.hash.pbkdf2_sha512
beg1 = time.time()
password = hashh.encrypt(test,salt_size = 32,rounds = 12000)
打印time.time() - beg1#返回0.142999887466
beg2 = time.time()
hashh.verify(test,password)#returns 0.143000125885
print time.time() - beg2
现在,如果我使用一半值:
password = hashh.encrypt(test,salt_size = 32,rounds = 4000)#返回0.0720000267029
hashh.verify(test,password)#返回0.0709998607635
在Dell XP上使用 Windows 7 64位S 15 i7 2.0 Ghz
注意:安装 bcrypt ,当然,它直接作为默认值(
rounds = 12)是一个真正的痛苦:hashh = passlib.hash.bcrypt
beg1 = time.time()
password = hashh.encrypt(test ,rounds = 12)#returns 0.406000137329
print time.time() - beg1
beg2 = time.time()
hashh.verify(test,password)#返回0.40499997139
print time.time() - beg2
一半值:
password = hashh.encrypt(test,rounds = 12)#0.00699996948242精彩?
hashh.verify(test,password)#0.00600004196167
你能否建议我
解决方案使用
pbkdf2_sha512> (这里的passlib开发人员)
pbkdf2_sha512所用的时间与它的rounds参数成线性比例(
elapsed_time = rounds * native_speed)。使用您的系统的数据,native_speed = 12000 / .143 = 83916 iterations / second,这意味着您需要在$ code> 83916 * .350 = 29575回合获得〜350ms的延迟。对于bcrypt来说,事情有点诡异,因为它花费的时间与它的回合参数成正比(elapsed_time =(2 ** rounds)* native_speed)。使用您的系统的数据,native_speed =(2 ** 12)/ .405 = 10113 iterations / second,这意味着您需要在log(10113 * .350,2)= 11.79回合获得〜350 ms的延迟。但是由于BCrypt只接受整数循环参数,所以您需要选择rounds = 11(〜200ms)或rounds = 12(〜400ms)。
所有这些都是我希望在将来发布的passlib中解决的问题。作为一项正在进行的工作,passlib的mercurial repo目前包含一个简单的小脚本, choose_rounds.py ,它负责为给定的目标时间选择正确的回合值。您可以直接下载并直接运行它(运行可能需要20s左右):
$ python choose_rounds.py - h
用法:python choose_rounds.py< hash_name> [< target_in_milliseconds>]
$ python choose_rounds.py pbkdf2_sha512 350
哈希............:pbkdf2_sha512
速度..... ......:83916次迭代/秒
目标时间.....:350毫秒
目标轮次...:29575
$ python choose_rounds.py bcrypt 350
哈希............:bcrypt
速度...........:10113次迭代/秒
目标时间... ..:350 ms
目标轮次...:11(200ms - 比请求快150ms)
目标轮次:12(400ms - 比请求慢50ms)
(编辑:关于安全最低轮的添加回复... )
免责声明:确定安全最低限度是一个非常棘手的问题 - 有很多难以量化的参数,很少的真实世界数据,还有一些非常无益的理论。缺乏良好的权威,我一直在研究这个话题;对于袖珍计算,我将原始数据转换成一个简短的公式(下面),这通常是我使用的。只要知道它背后有几页假设和粗略的估计,使它更像是一个费米估算比一个确切的答案:|
我的经验法则(2012年中期)用于使用GPU攻击PBKDF2-HMAC-SHA512是:
days * dollars = 2 **(n-31)* rounds
-
days是攻击者有50/50次机会的天数猜测密码。 -
美元是攻击者的硬体预算(美元)。 -
n是用户密码的平均熵值(以位为单位)。
如果平均密码有32位熵,则可以回答您的脚本小孩问题:攻击者有一个2000美元的系统,具有良好的GPU,然后在30000轮,他们将需要30天( 2 **(32-31)* 30000/2000 )有一个50 / 50破解给定哈希的几率。我建议玩的价值观,直到你达到一个你感到舒适的回合/天的折衷。
有些事情要记住:
-
成功率字典攻击不是线性的,更多的是长尾的情况,所以认为50/50的标记是更多的半衰期。
-
31是关键因素,因为它会对攻击特定算法使用特定的技术水平。实际值2 ** - 31衡量每回合的美元天,这将使攻击者花费一笔钱。为了比较,使用 ASIC 攻击PBKDF2-HMAC-SHA512的因子接近于code> 46 - 更大的数字意味着更多的攻击者的压力,对于每一轮的安全性更低,虽然脚本小孩一般不会有这样的预算:)
from the passlib documentation
For most public facing services, you can generally have signin take upwards of 250ms - 400ms before users start getting annoyed.
so what is the best value for rounds in a login/registration if we consider that there is one call for the database for the login attempt, and it uses MongoDB with non-blocking call. (using Mongotor, and using the email as the _id, so it is by default indexed, the query is fast: 0.00299978256226 and of course tested with a database that has 3 records...)
import passlib.hash
import time
hashh = passlib.hash.pbkdf2_sha512
beg1 = time.time()
password = hashh.encrypt("test", salt_size = 32, rounds = 12000)
print time.time()- beg1 # returns 0.142999887466
beg2 = time.time()
hashh.verify("test", password) # returns 0.143000125885
print time.time()- beg2
now if i use half value:
password = hashh.encrypt("test", salt_size = 32, rounds = 4000) # returns 0.0720000267029
hashh.verify("test", password) # returns 0.0709998607635
am using Windows 7 64 bits on Dell XPS 15 i7 2.0 Ghz
NB: installed bcrypt, and of course, it's a real pain using it directly as its default values (rounds = 12):
hashh = passlib.hash.bcrypt
beg1 = time.time()
password = hashh.encrypt("test", rounds = 12) # returns 0.406000137329
print time.time()- beg1
beg2 = time.time()
hashh.verify("test", password) # returns 0.40499997139
print time.time()- beg2
half value:
password = hashh.encrypt("test", rounds = 12) # 0.00699996948242 wonderful?
hashh.verify("test", password) # 0.00600004196167
can you suggest me a good rounds value when using pbkdf2_sha512 that will be good for production?
(passlib developer here)
The amount of time pbkdf2_sha512 takes is linearly proportional to it's rounds parameter (elapsed_time = rounds * native_speed). Using the data for your system, native_speed = 12000 / .143 = 83916 iterations/second, which means you'll need around 83916 * .350 = 29575 rounds to get ~350ms delay.
Things are a little tricker for bcrypt, because the amount of time it takes is logarithmically proportional to it's rounds parameter (elapsed_time = (2 ** rounds) * native_speed). Using the data for your system, native_speed = (2 ** 12) / .405 = 10113 iterations/second, which means you'll need around log(10113 * .350, 2) = 11.79 rounds to get ~350 ms delay. But since BCrypt only accepts integer rounds parameters, so you'll need to pick rounds=11 (~200ms) or rounds=12 (~400ms).
All of this is something I'm hoping to fix in a future release of passlib. As a work in progress, passlib's mercurial repo currently contains a simple little script, choose_rounds.py, which takes care of choosing the correct rounds value for a given target time. You can download and run it directly as follows (it may take 20s or so to run):
$ python choose_rounds.py -h
usage: python choose_rounds.py <hash_name> [<target_in_milliseconds>]
$ python choose_rounds.py pbkdf2_sha512 350
hash............: pbkdf2_sha512
speed...........: 83916 iterations/second
target time.....: 350 ms
target rounds...: 29575
$ python choose_rounds.py bcrypt 350
hash............: bcrypt
speed...........: 10113 iterations/second
target time.....: 350 ms
target rounds...: 11 (200ms -- 150ms faster than requested)
target rounds...: 12 (400ms -- 50ms slower than requested)
(edit: added response regarding secure minimum rounds...)
Disclaimer: Determining a secure minimum is a surprisingly tricky question - there are a number of hard to quantify parameters, very little real world data, and some rigorously unhelpful theory. Lacking a good authority, I've been researching the topic myself; and for off-the-cuff calculations, I've boiled the raw data down to a short formula (below), which is generally what I use. Just be aware that behind it are a couple of pages of assumptions and rough estimates, making it more of a Fermi Estimation than an exact answer :|
My rule of thumb (mid 2012) for attacking PBKDF2-HMAC-SHA512 using GPUs is:
days * dollars = 2**(n-31) * rounds
daysis the number of days before the attacker has a 50/50 chance of guessing the password.dollarsis the attackers' hardware budget (in $USD).nis the average amount of entropy in your user's passwords (in bits).
To answer your script-kiddie question: if an average password has 32 bits of entropy, and the attacker has a $2000 system with a good GPU, then at 30000 rounds they will need 30 days (2**(32-31)*30000/2000) to have a 50/50 chance of cracking a given hash. I'd recommend playing around with the values until you arrive at a rounds/days tradeoff that you're comfortable with.
Some things to keep in mind:
The success rate of a dictionary attack isn't linear, it's more of "long tail" situation, so think of the 50/50 mark as more of a half-life.
That
31is the key factor, as it encodes an estimation of the cost of attacking a specific algorithm using a specific technology level. The actual value,2**-31, measures the "dollar-days per round" it will cost an attacker. For comparison, attacking PBKDF2-HMAC-SHA512 using an ASIC has a factor closer to46-- larger numbers mean more bang for the attacker's buck, and less security per round for you, though script kiddies generally won't have that kind of budget :)
这篇关于python passlib:“rounds”的最佳值是多少?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
