On Dec 26, 2013, at 8:09 PM, Bill Cox wrote: OK, so now we've moved from abstraction to a concrete proposal. And just who would use such a KDF? Tying up 4GB for a second is a very expensive proposition on a server. People have to manage thousands of logins a second, so you're talking about devoting Terabytes of main memory - not disk or SSD - *just to logins*. You've suggested doing the KDF computation on the client. How many clients have 4GB of free memory? I've got a laptop with 8GB of memory. WHen in active use, it never has even 2GB free. Maybe my laptop can do the computation - but it will take a while because it'll have to swap stuff out. (And of course then they'll have to swap it back in.) I see this happen periodically when I've got a bit too much stuff running, and it ain't pretty. Hardly any user would be willing to accept the performance loss. As for portable devices - I'm not sure any of the actually *have* 4GB of RAM in total. And the power costs of pegging the CPU for a second are non-trivial, too. So basically you're writing them all off. The parameters you've suggested basically limit secure communication to someone with the NSA's resources. :-) -- Jerry |