| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Sep 2014 17:11:13 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: Re: [PHC] PolyPassHash is broken -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/14/2014 03:45 PM, Justin Cappos wrote: > We have some discussion about the points list in our paper > (Sections 5.2.3 and 6 for example). However, I'll be more explicit > and direct here. > > Method 1 >> * get partial hash from DB * find partial hash collision * >> crash/restart server * login >> > > Sure you can do this. Once a threshold is reached, the attack will > be detected because the full password hashes will not match. That > is, unless the attacker is fortunate enough so that the partial > hash collision is the actual full hash / password. I have to agree with Steve that the Partial Validation feature needs work. I was convinced the scheme proposed in the paper was secure until I read that section, which puts security in doubt. Revealing even two bytes of the password hash is dangerous. For example, if there are 4 administrators, and two of them have passwords with only 32 bits of entropy, meaning that they exist in my 4-billion entry dictionary, and if only 2 shares are needed, then without the Partial Verification feature, I still have to try up to 2^64 guesses to find the master key, once I've chosen the right two admin accounts. However, with 16 bits of the hash from two password hashes, in 4*2^32 hashes I can easily build dictionaries for all of them containing only matching hashes, which would be about 2^16 each. I then only need to try 2^32 combinations for each of the 4 possible pairs to find the key. Essentially, what this does is make it just about as easy to attack the database as if PolyPassHash were not in use. In general, I think most admins always want to be able to log in. This is a significant problem for wide-spread adoption of PolyPassHash, without the Partial Verification feature. However, this seems to need work. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUFgRuAAoJEAcQZQdOpZUZUNQP/3BwhmbICmXv3Fp+ylnBp0zP zlHKBPiYK65he9anRRI9grMg12euAQX0iwXT2UMaDwct9q7MGuZFfd08b5zb+m6m wDWY8btsyJ8ZNG0t0KIv7YEsDQnPxfGTXccNUaS3JxPUth3s/zvcvYl+XLpS0xli kbg1mLLQTXeQu8cDLFbJPBcYibWhGmQc34aLFCRoaTLEGYh1is1B9bhuBJgjCmwa zR4iIdUj7HsZxW++TJ+ot3WBn6ZrMRXLY3w/0HLpOfWE0aHNVQQW84r9w4cgo3i/ H77J+baVRiLBG1X6PXWnacnXliv5cmvGA1epP/BPFl2QKnmhsp/LVvYX06tjlA2A UCJ2iS1eH9GNCZezExJeEOeD6q9zbsenFFDXoGTDaQWr9syf+xTWStGxUWv1o8Xx wLukKxYlb6MB8H4ZgpUvDGdyxPIZUjmbeNvEyXXDSCUezEOxvITa0so+7P9nbRI7 gc172oNc1YinMqwyFCWanAQf/dhr1bnGw3jS3c4HTAYzi+tTV5IflBSwOmKCa/hT JSBHwi/e0qHI6QWiUU9P2MnrCvKsnp1mlnO4dgPJMrWVWADDWNFxSOSXaiUsmheV y17wzBjdV/lJTPbm2DzvS6R+BaQjAskoGVdakasnturFGKKuUT0NrmOMFmkIfslZ T3TcmYIMs1QwI9SXZFi3 =kk0q -----END PGP SIGNATURE-----
Powered by blists - more mailing lists