Quote:
Originally Posted by ixtab
... Testing 1,000,000 different keys takes about 35 seconds - and that is completely unoptimized code, which can certainly be made faster by at least an order of magnitude. ...
|
That indicates that they did not use enough hashing rounds in their key generation. PBKDF2 key generation started with 1,000 rounds in the old days, but changed to 2,000 rounds when computers got faster, and is now 10,000 rounds in some of the latest implementations. Is amazon REALLY only using a single round of hashing to generate and test keys? That is badly broken by even very old encryption standards.
They must be relying on the DMCA to protect them, rather than using "REAL" security practices.
It is still a lot faster to crack the DRM using information obtained from an authorized reading device.
EDIT: You did not say how many hash rounds you used in your test. Even if it is more than a single round, testing 1,000,000 keys in 35 seconds may require more rounds for good protection.