| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Sep 2014 07:33:29 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: Re: [PHC] Improving Makwa and arguing points for or against -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/14/2014 06:13 AM, Steve Thomas wrote: > I think Makwa has one nice feature: delegation. The fixes needed > are: required pre-hashing, post hashing, and clearing p and q right > after they are generated. Replacing e=2**n with e=65537**n also > require gcd(65537, (p-1)*(q-1))=1. This way you can say it's as > safe as RSA. I guess that's not really necessary since post hashing > is now required. I assume there's some good mathematical reason for 65537, but I can't comment on that. I personally feel pre and post hashing is needed, for similar reasons as you, though it is also impractical to expect random database guys to be happy with a 2048 bit hash when they've been used to much smaller. Imaging editing /etc/passwd with those in it. > Delegation is cool, but I don't see it as something that will be > used in the real world. The only arguing points I see are: is > delegation awesome enough to make it go to the next round, whether > we can force changes to an algorithm, and whether we can prevent > the author from saying "you could keep p and q for fast path". Delegation is cool. Makwa is in it's own category. It's not going to be a PHC winner recommended to replace Scrypt. However, while delegation is not something we can use in existing systems very effectively, it might be key to enabling future security in system we wish we could build. In particular, we don't seem to be able to secure the regular Internet. How are we going to secure the "Internet of Things"? Delegation seems like a great way for any low-end system like your home alarm system to validate your password. Any random low-end thing on the Internet that we want to control remotely is a good candidate for this. I think it would be a shame to drop the only password hashing scheme to ever provide delegation. In comparison, parallel is a great idea - using GPUs for defense - but that is an idea that needs a lot of work, IMO. We need some good GPU guys to write a GPU optimized hashing function. Parallel as it stands is not an entry I would recommend we use as-is. However, as the only GPU defense entry, I think that should also remain in the competition. I'm tracking a group of entries I'm calling "Good ideas" now. It includes Parallel, Makwa, and AntCrypt. Of these three, Makwa is the only one with an implementation close to ready for prime-time, IMO. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUFX0FAAoJEAcQZQdOpZUZqmUP/jyXjjQZt7fWNZRK8d4S3K5B BfvrF166H7p6HFgnnQ4MCqk2SQ9ieipZ7rDu+h0mX1wXM1lnaByx7zJO4P/0SBAI GDcL7IiZe47PtkSk/9TZNxnyhlDiJCnVjvWW8bWJfQV38CHWifTuQgYvoLOZKa0Y wpmEUBylPZoMzlJnICTHmBYRvhQHl1/KMHhcf56RbDzUi4Msftl3dEG8xPveRAkJ yX3Eq7bnK+GCAJKhtBCnYAYuW93jlowSx+478qIxEOg1NulDvrJ1uhmCAu3BkFq6 vagd2hWEOmJOD4qZ/td1t3HKD2eJCD8lQnOLHB1JXwZFfKMMWLvuQWF517G6zrA5 KFaz30rleMExvuJN/nFhpWUGGFNbGKfTKXK0cUO7RmEUCM1rPonfkpohTLcVIeRb 4DM1tpWPEbYCcxXWJCtVb8i85TSR6cWFhZWqtCCj9+lfMobXE/yquj3ZEpdsm58d OzmE0sy+vbVh2+n0jFy+47TokzThfi8o6g0UubThc+6O5s82qsj8F5zgyAwZWlP8 pKeqruTGuacnr3hiVij5MTmXrKoy2gQs5Pl8w7h+M+icMB79ccbnCru9pFKoyFhH QNUVmfumKAQA8Tqi/kzS91oQbyq/GPrx7Vrnv2ENTXoHR0geiWpALL4cbvcnNkdg QyRAaoK9QjZNIfV2BSBF =eLSv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists