Optimizing use of SSL?

Ben Greear greearb
Thu Feb 3 10:36:38 PST 2011

On 02/03/2011 12:14 AM, Jouni Malinen wrote:
> On Wed, Feb 02, 2011 at 04:05:37PM -0800, Ben Greear wrote:
>> Specifically, this method has a pretty mean loop:
>> pbkdf2_sha1_f()
>> It loops for all iterations, which is passed in as 4096
>> by this method below:
>> Is it required to do that 4096 times, or is it just higher
>> grade encryption that way?  If something lesser would be
>> adequate, maybe I can make it a configurable value?
> Yes, it needs to run 4096 iterations and this is slow _by design_. IEEE
> 802.11i does this to make it less feasible to run brute force attacks
> against the passphrase-to-PSK functionality.
> However, as far as your use case is concerned, there is no reason why
> you would need to do that derivation separately for each station using
> the same AP or even for doing it for each run. The result you get from
> that function is going to be the same every time. Instead of configuring
> the passsphrase in wpa_supplicant.conf, use wpa_passphrase to derive the
> PSK once and then configure the PSK. After that, this function will not
> be run at all.

Thanks to everyone for their replies.  It looks like pre-calculating
the PSK with wpa_passphrase will be perfect for my uses.

And I can confirm that it doesn't work if you change that 4096 to
something smaller :)


Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the Hostap mailing list