lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Feb 2013 12:31:45 +0100
From: Patrick Mylund Nielsen <patrick@...rickmylund.com>
To: Jens Steube <jens.steube@...il.com>
Cc: discussions@...sword-hashing.net
Subject: Re: [PHC] Different cost settings and optional input

Agree on the first point. On the second point, I think he is suggesting
that you would have to save some of the initial input, but there is no
reason that you wouldn't be able to apply the hypothetical construction to
its own output to increase the required work per verification (similar to
how some developers are currently upgrading MD5(pwd) to bcrypt(MD5(pwd)) to
increase cost without requiring users to log in.)


On Sat, Feb 16, 2013 at 12:22 PM, Jens Steube <jens.steube@...il.com> wrote:

> Hey Guys,
>
> even if gat3way's (coder of hashkill) comments were written in a way
> so that they sound like a joke they should be taken seriously.
>
> If you missed them, here they are:
>
> > 09:29:30 gat3way | Hey are you sure about that criterion:
> > 09:29:32 gat3way | "Ability to transform an existing hash to a different
> cost setting without knowledge of the password."
> > 09:29:52 gat3way | assuming that was possible, it means I can change
> cost to 1 then attack the hash :)
> > 09:39:47 jchillerup | i think it implies transforming it into only
> *more* expensive versions
> > 09:40:02 jchillerup | Otherwise it wouldn't make sense :)
>
> Of course, jchillerup is right. I think we should update the CFS to
> make that clear. In a world full of wrong or partially wrong
> information troublemaker can simply abuse this lack of clarity to
> create an Illusion of a weakness in the PHC hash. Such an Illusion can
> easily cost its credibility.
>
> > 09:45:02 gat3way | Is it allowed to rely on a secret parameter other
> than the password then?
> > 09:45:36 gat3way | otherwise I am afraid such requirement would very
> likely inherently weaken security
>
> I am not sure what his concern is about. I think it is the following:
> We allow the use of a "optional input":
>
> > Other optional inputs include local parameters such as a personalization
> string, a secret key, or any application-specific parameter.
>
> It is possible that a coder who is using the PHC hash in his
> applications misuse such an optional parameter intenionally or
> unintenionally. For example by storing the entire plaintext or parts
> into it. At least we should write a note about not doing that or even
> better completly not allow the use of an optional parameter.
>
> --
> Jens
>

Content of type "text/html" skipped

Powered by blists - more mailing lists