lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Aug 2013 02:11:55 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] The EARWORM password hash

Tony Arcieri <bascule@...il.com> writes:
>On Mon, Aug 12, 2013 at 6:52 PM, Peter Gutmann <pgut001@...auckland.ac.nz>wrote:
>
>> Wait until Bitcoin II, using AES, comes out, and the AES brute-force ASICs
>>  start to appear as they already have for SHA256...
>
>FWIW, the best contender for "Bitcoin II" is LiteCoin, and it's using scrypt:
>
>http://coinmarketcap.com/

That makes for an interesting threat model, there's always been an implicit
assumption (probably quite justified) that no-one would bother rolling custom
hardware to break passwords (spook conspiracies aside).  However if the
Bitcoin fans are going for systems designed to make brute-forcing hard then
it's quite possible that whatever the final design ends up as will be subject
to ASIC-based attacks, not for password-cracking but for whateverCoin mining.
So assuming attacks using custom hardware isn't off the table any more.

Incidentally, here's a short writeup I've done for a book I'm working on that
looks at SHA256 brute-forcing as collateral damage in the Bitcoin arms race:

-- Snip --

Another situation in which a security mechanism ended up as collateral damage
occurred with Bitcoin mining.  Mining Bitcoins requires finding a bit string
that yields a SHA-256 hash value beginning with a certain number of zero bits.
In other words to mine a Bitcoin you need to hash data values until you find
one whose hash begins with the given number of zero bits [REF][REF].  To do
that you need a means of calculating SHA-256 hashes very quickly.  Initially
this was done with conventional CPUs.  Then the effort moved to GPUs, which
due to their massive parallelisability increased throughput dramatically.  The
next step beyond GPUs was field-programmable gate arrays or FPGAs, a form of
programmable hardware that was both faster than GPUs and even more
parallelisable.

The final step was custom hardware or ASICs, application-specific ICs.
Creating an ASIC to perform high-speed hashing would have been economically
infeasible before Bitcoins came along, but the ever-increasing value of
Bitcoins finally made them viable [REF][REF].

So how do Bitcoin-mining ASICs affect general security?  Passwords and
encryption keys are often protected using the same hash algorithms that the
mining ASICs (and FPGAs and GPUs) are designed to calculate at great speed, so
by using the hardware that was designed for Bitcoin mining it's possible to
attack hashed passwords with an efficiency that would never have been possible
before Bitcoin appeared

Footnote: At the moment though all of your passwords are pretty safe since
anyone who has an ASIC-based rig is far more interested in mining Bitcoins
than cracking passwords.

Peter.

Powered by blists - more mailing lists