lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 4 May 2015 20:25:15 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks

On Mon, May 04, 2015 at 08:09:38PM +0300, Solar Designer wrote:
> On Mon, May 04, 2015 at 02:37:48PM +0200, Stefan.Lucks@...-weimar.de wrote:
> > Having spent much of my academic life on performing cryptanalysis, i.e., 
> > on attacking schemes, the idea to rely on the randomness of the salt 
> > doesn't quite convince me, though.
> 
> I just recalled an earlier discussion in here where Christian Forler
> felt it was OK for Catena to absolutely rely on salt uniqueness for a
> feature, and I felt otherwise:
> 
> http://thread.gmane.org/gmane.comp.security.phc/612/focus=659
> 
> While uniqueness isn't randomness, the similarity is in strong reliance
> on a property of the salts.
> 
> I think this shows my pragmatism.  When this kind of reliance isn't
> absolutely required for a security feature (there was another way to
> specify the feature in question), I am against it.  When there's a
> tradeoff between a not-yet-practically-relevant weakness and a currently
> practically relevant one, I may well choose to accept the former and
> mitigate the latter.
> 
> Arguably, this also shows Catena team's inconsistency. ;-)  If it's so
> bad to rely on some historically not assumed property of salts (e.g.,
> with crypt()'s 12-bit salts occasional collisions were assumed), then
> just don't, for anything.

Oh, I just took a look at the actual code in Catena, and I see that
there's "uint64_t uuid" separate from the salt.  So at least this
reliance is made clear.  OK.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ