Re: reducing our reliance on MD5

On 2/10/15 6:32 PM, Peter Geoghegan wrote:
> On Tue, Feb 10, 2015 at 4:21 PM, Robert Haas <robertmhaas@gmail.com> wrote:
>> Although the patch was described as relatively easy to write, it never
>> went anywhere, because it *replaced* MD5 authentication with bcrypt,
>> which would be a big problem for existing clients.  It seems clear
>> that we should add something new and not immediately kill off what
>> we've already got, so that people can transition smoothly.  An idea I
>> just had today is to keep using basically the same system that we are
>> currently using for MD5, but with a stronger hash algorithm, like
>> SHA-1 or SHA-2 (which includes SHA-224, SHA-256, SHA-384, and
>> SHA-512).  Those are slower, but my guess is that even SHA-512 is not
>> enough slower for anybody to care very much, and if they do, well
>> that's another reason to make use of the new stuff optional.
>
> I believe that a big advantage of bcrypt for authentication is the
> relatively high memory requirements. This frustrates GPU based
> attacks.

This is especially critical if things like bitcoin ASIC rigs could be 
put to use generating generic SHA256 hashes. A few grand will buy you 
hardware that can generate trillions of hash values per second. AFAIK 
there's no specialized hardware for scrypt though (even though it's used 
for other cryptocurrencies), in part because it's not cost effective to 
put enough memory in place.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com