| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Aug 2013 02:11:55 +0000 From: Peter Gutmann <pgut001@...auckland.ac.nz> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Re: [PHC] The EARWORM password hash Tony Arcieri <bascule@...il.com> writes: >On Mon, Aug 12, 2013 at 6:52 PM, Peter Gutmann <pgut001@...auckland.ac.nz>wrote: > >> Wait until Bitcoin II, using AES, comes out, and the AES brute-force ASICs >> start to appear as they already have for SHA256... > >FWIW, the best contender for "Bitcoin II" is LiteCoin, and it's using scrypt: > >http://coinmarketcap.com/ That makes for an interesting threat model, there's always been an implicit assumption (probably quite justified) that no-one would bother rolling custom hardware to break passwords (spook conspiracies aside). However if the Bitcoin fans are going for systems designed to make brute-forcing hard then it's quite possible that whatever the final design ends up as will be subject to ASIC-based attacks, not for password-cracking but for whateverCoin mining. So assuming attacks using custom hardware isn't off the table any more. Incidentally, here's a short writeup I've done for a book I'm working on that looks at SHA256 brute-forcing as collateral damage in the Bitcoin arms race: -- Snip -- Another situation in which a security mechanism ended up as collateral damage occurred with Bitcoin mining. Mining Bitcoins requires finding a bit string that yields a SHA-256 hash value beginning with a certain number of zero bits. In other words to mine a Bitcoin you need to hash data values until you find one whose hash begins with the given number of zero bits [REF][REF]. To do that you need a means of calculating SHA-256 hashes very quickly. Initially this was done with conventional CPUs. Then the effort moved to GPUs, which due to their massive parallelisability increased throughput dramatically. The next step beyond GPUs was field-programmable gate arrays or FPGAs, a form of programmable hardware that was both faster than GPUs and even more parallelisable. The final step was custom hardware or ASICs, application-specific ICs. Creating an ASIC to perform high-speed hashing would have been economically infeasible before Bitcoins came along, but the ever-increasing value of Bitcoins finally made them viable [REF][REF]. So how do Bitcoin-mining ASICs affect general security? Passwords and encryption keys are often protected using the same hash algorithms that the mining ASICs (and FPGAs and GPUs) are designed to calculate at great speed, so by using the hardware that was designed for Bitcoin mining it's possible to attack hashed passwords with an efficiency that would never have been possible before Bitcoin appeared Footnote: At the moment though all of your passwords are pretty safe since anyone who has an ASIC-based rig is far more interested in mining Bitcoins than cracking passwords. Peter.
Powered by blists - more mailing lists