Re: [kitten] draft-hansen-scram-sha256 and the hash iteration count

Dave Cridland <> Tue, 24 February 2015 16:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 97DCE1A1B71 for <>; Tue, 24 Feb 2015 08:55:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 40iHGb9U4APt for <>; Tue, 24 Feb 2015 08:55:55 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B48A1A0393 for <>; Tue, 24 Feb 2015 08:55:55 -0800 (PST)
Received: by with SMTP id va2so44630778obc.1 for <>; Tue, 24 Feb 2015 08:55:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/0MZ1I1buZfnYJq1on9Z3ke4Avp1HdR4GU9URZMF6rg=; b=c/RMDjMPnD7HVcuPiy6nDisH+2AYjcqO8/CkKrPKvnczpnVATXDT1EgktZ6SqEHn3s +nHhivq/I6ChVAnJhywdVjo/znf2MeNQXPvHU6Mmub6yEeEMyobs4fk3dT7vy+9HQKk2 VaJa18nkNq80XPUwTkM8TJ37a9fg7uzZXP8UM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/0MZ1I1buZfnYJq1on9Z3ke4Avp1HdR4GU9URZMF6rg=; b=e4bMftJ5OoDQs0BYTJS72u2DB8eGL5YOQGrUNG1XgNg4BkHNFq90FWyWU3M1+MuTGD kFLtNql/AGAhi99re7iQq9DBFHOrkoL64fHYjGYZS/WWAXBC2OCFvRZCJ/Vc9PSFtrWA du9MoqCaYraiDVk/K0mF3HD0LaYLLWveNKvX2MViWXO2VqReczEWCOBaMTcZrNlNLQmK npY4tNYHxhqBtOsFr4l20mTQkdCjIEtIQiw/Uda8CpYEfIpyPpfMvP3qL1/Z7vcoXyBj 4mXpm/vEihLTIjgRh72KyyeUxeyLo2bv7y4DuFfVS31FAbrpFDTvHjpYTZVmWcAxBQKd XinA==
X-Gm-Message-State: ALoCoQkaTZei95M0kH+e0rZD9YhXSjSJrbvcd130OMXmp3cygIck+f9EGx0IPDxr0QKh8Gm7gdNw
MIME-Version: 1.0
X-Received: by with SMTP id mk8mr11521034obc.54.1424796954592; Tue, 24 Feb 2015 08:55:54 -0800 (PST)
Received: by with HTTP; Tue, 24 Feb 2015 08:55:54 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 24 Feb 2015 16:55:54 +0000
Message-ID: <>
From: Dave Cridland <>
To: Tony Hansen <>
Content-Type: multipart/alternative; boundary=e89a8ff252565b1dee050fd86481
Archived-At: <>
Cc: "" <>
Subject: Re: [kitten] draft-hansen-scram-sha256 and the hash iteration count
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Feb 2015 16:55:56 -0000

On 24 February 2015 at 16:33, Tony Hansen <> wrote many

As a thought, is it not worthwhile to distill all this into a paragraph or
two within the Security Considerations, such as:

The strength of this mechanism is dependent in part on the iteration count,
as denoted by "i" in [RFC 5802]. As a rule of thumb, the iteration count
should be such that a modern machine will take 0.1 seconds to perform the
complete algorithm; however this is unlikely to be practical on mobile
devices and other relatively low-performance systems. At the time this was
written, the rule of thumb gives around 15,000 iterations required; however
an iteration count of 4096 takes around 0.5 seconds on current mobile
handsets. This computational cost can be avoided by caching the ClientKey
(assuming the Salt and iteration count is stable).

Therefore the recommendation of this specification is that the iteration
count SHOULD be at least 4096, but careful consideration ought to be given
to using a significantly higher value, particularly where mobile use is
less important.