Web lists-archives.com

Bcrypt hash program on Debian 8 without python-pip ?




Hi,

i wanted to make some experiments with bcrypt's timing and it seems
that i need to make a wide detour over fat python stuff.

First i installed package "bcrypt" which turned out to provide an application
of the original Blowfish algorithm, which is so poor that the Debian version
is not allowed to encrypt anything any more:
  Encryption support disabled. See http://bugs.debian.org/700758

In the web i found an example
  https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html
which i can replay after doing in my sandbox
  apt-get install python-passlib
This added 2 MB, did not suffice, and proposed pip
  apt-get install python-pip
55 MB added. Then
  pip install bcrypt
Here i forgot to measure how many MB. Duh. It lasted about 3 seconds.
The "pip" run needed no superuser power.

I assume that the bcrypt algorithm is not running with python speed
but rather with binary program speed.

So i did some benchmarks (qemu with kvm on 3.5 GHz 4 core Xeon):

  $ python
  >>> from passlib.hash import bcrypt

The example with a "cost" of 13 needs about half a second:

  >>> bcrypt.using(rounds=13).hash("password")
  '$2b$13$IkrRofF47sgCo3CL/E.4ku.87dSGi1W0.3ZEgTYDrVuzXxpAYiUwu'

Consequentially cost 16 needs 4 seconds, and 18 needs 15, 19 needs 30.
I'd say that 16 would be bearable in this python contraption.

So

  >>> bcrypt.using(rounds=16).hash("ElmerFudpecker")
  '$2b$16$0UGXpt5volf7U/U5pXXGs.fS/X6HSw.9QCzTfRGFOP/qmNvcExGDK'

would yield the 31 character password

  fS/X6HSw.9QCzTfRGFOP/qmNvcExGDK

to be transmitted to the remote service.

Of course, "ElmerFudpecker" would not be hardcoded in the python program
but rather be input from the keyboard.
And as said, it should be much more hard to guess that a celebrity name.

Four 3.5GHz-Xeon seconds per try would be a pain for any enumerator,
even with a GPU array. Not unsurpassable, but also not without due heat
dissipation. Let him sweat.


Now how would i get this on real Debian 8 iron without running "pip" ?
Best would be an implementation in plain C without a cuddly snake around it.
  apt-file search bcrypt
produces enough output to hide three such packages from my eyes.


Have a nice day :)

Thomas