-1

Cisco has finally gotten around to offering two relatively modern ways to store passwords in configuration files:

  • PBKDF2-HMAC-SHA256 with 20,000 iterations
  • Scrypt with N=16384, r=1, p=1

My question for the security gods is, given the two algorithms above: is one clearly better then the other, are they about the same, or are there any obvious tradeoff's that make it a hard decision?

Nathan Spitzer
  • 1
  • 1

1 Answers1

0

The Scrypt one is clearly better.

  • PBKDF2 is using 20,000 iterations

But SHA256 is extraordinarily easy to compute. I own a 2.5W USB stick that on SHA256 can calculate 330 million hash/sec. (i have 14 of these usb sticks, for a total of 4.6 Thash/s

  • Those Scrypt parameters are set to use:
    • 16,384 iterations
    • operating randomly on 2 MB of memory

Scrypt is very difficult to parallelize in hardware. The current state of the art of scrypt hashing can do about 1.3 million hash/sec, while consuming about 900W.

| Algorithm |  Power | Speed           | 
|-----------|--------|-----------------|
| PBKDF2    |   2.5W | 330,000,000 H/s |
| Scrypt    | 900W   |   1,300,000 H/s |
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219