Optimizing use of SSL?

Jouni Malinen j
Thu Feb 3 00:14:52 PST 2011


On Wed, Feb 02, 2011 at 04:05:37PM -0800, Ben Greear wrote:
> Specifically, this method has a pretty mean loop:
> 
> pbkdf2_sha1_f()
> 
> It loops for all iterations, which is passed in as 4096
> by this method below:

> Is it required to do that 4096 times, or is it just higher
> grade encryption that way?  If something lesser would be
> adequate, maybe I can make it a configurable value?

Yes, it needs to run 4096 iterations and this is slow _by design_. IEEE
802.11i does this to make it less feasible to run brute force attacks
against the passphrase-to-PSK functionality.

However, as far as your use case is concerned, there is no reason why
you would need to do that derivation separately for each station using
the same AP or even for doing it for each run. The result you get from
that function is going to be the same every time. Instead of configuring
the passsphrase in wpa_supplicant.conf, use wpa_passphrase to derive the
PSK once and then configure the PSK. After that, this function will not
be run at all.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list