From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55224)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1aRccP-00031P-O0
	for qemu-devel@nongnu.org; Fri, 05 Feb 2016 04:24:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1aRccK-0007fX-NH
	for qemu-devel@nongnu.org; Fri, 05 Feb 2016 04:23:57 -0500
Date: Fri, 5 Feb 2016 09:23:43 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20160205092343.GA13989@redhat.com>
References: <1453311539-1193-1-git-send-email-berrange@redhat.com>
	<1453311539-1193-4-git-send-email-berrange@redhat.com>
	<56B3CD32.7080307@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <56B3CD32.7080307@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2
	algorithm
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famz@redhat.com>, qemu-devel@nongnu.org, qemu-block@nongnu.org

On Thu, Feb 04, 2016 at 03:14:10PM -0700, Eric Blake wrote:
> On 01/20/2016 10:38 AM, Daniel P. Berrange wrote:
> > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> > +                   const uint8_t *key, size_t nkey,
> > +                   const uint8_t *salt, size_t nsalt,
> > +                   unsigned int iterations,
> > +                   uint8_t *out, size_t nout,
> > +                   Error **errp);
> > +
> > +/**
> > + * qcrypto_pbkdf2_count_iters:
> > + * @hash: the hash algorithm to use
> > + * @key: the user password / key
> > + * @nkey: the length of @key in bytes
> > + * @salt: a random salt
> > + * @nsalt: length of @salt in bytes
> > + * @errp: pointer to a NULL-initialized error object
> > + *
> > + * Time the PBKDF2 algorithm to determine how many
> > + * iterations are required to derive an encryption
> > + * key from a user password provided in @key in 1
> > + * second of compute time. The result of this can
> > + * be used as a the @iterations parameter of a later
> > + * call to qcrypto_pbkdf2().
> 
> As machines get faster, will 2^31 still be enough, or do we want a
> 64-bit iterations counter?

The luks format only has space to store a 32-bit int for interations,
so 64-bit would require an on disk format change. On my current modern
laptop we're getting iteration counts in the 400,000 range, so it will
be a decent while before we hit 2^31, by which time LUKS maintainers
will have to do a format change.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|