| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Aug 2015 11:23:11 -0400 From: Jeremy Spilman <jeremy@...link.co> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Re: [PHC] Passwords15 BSidesLV talks A question I wanted to ask at the talk but didn't get the chance... I guess with Encrypt-then-MAC an attacker can still just check the MAC but that would involve; a) calculating the MAC key, which is typically chained off the encryption key possibly with additional work factor b) streaming the entire cipher text through the hash function Whether this is faster than skipping the MAC key derivation and hash step and going straight to decrypting the entire ciphertext and applying the ANT I guess could vary. But in any case it's a better lower bound than decrypting just one block. Is that right? > On Aug 14, 2015, at 2:40 PM, Jeffrey Goldberg <jeffrey@...dmark.org> wrote: > >> On 2015-08-13, at 4:49 PM, Greg Zaverucha <gregz@...rosoft.com> wrote: >> >> Thanks Alexander! >> For folks on this list who are interested and familiar with crypto, it may be faster to look at my tech report explaining the idea >> http://research.microsoft.com/apps/pubs/default.aspx?id=252097 > > Thanks. > > As I said then. This is one of those really cool ideas that makes perfect sense once someone actually points it out. I’ve always been bothered by the fact that an attacker may just need to decrypt a single block or check a MAC while the defender needs to decrypt the whole thing, but I never really thought about doing anything about it. So thanks again. > > Cheers, > > -j
Powered by blists - more mailing lists