| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Apr 2014 13:58:49 -0400
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Best use of ROM in password hashing
Here's another N-way ROM splitting attack, and this one should work for
*any* PHS using ROM, regardless of how much RAM is hashed. The goal is to
decrease the cost of the ROM to the attacker per guessing node while
maintaining good ROM bandwidth per node. An attacker simply splits the ROM
into N pieces, and builds a fast permutation network to route from the N
pieces to say N/2 computation nodes. During any block read loop, most of
the N/2 cores could have lone access to the ROM data they need. The cost
of the permutation network is O(N*log(N)), so N should be chosen to keep
the permutation network's cost well under the cost of N ROMs.
I really don't see any good way to prevent an attacker from making use of
parallel small ROMs and some data routing hardware, so counting on the cost
of the ROM and it's bandwidth limitations as primary deterrents may not
work out well. It doesn't hurt to add those to a defender's array of
defenses, but the primary time*cost is likely to be due to the memory
hashing algorithm. I think Alexander enjoys adding more spikes in his
defense wall, and ROM cost and bandwidth are just two more the attacker
will have to overcome. If I were an attacker looking at a full blown
Yescript (with the enhancements Alexander has mentioned), I'd just throw up
my hands and go hack accounts somewhere else :-)
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists