lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Sep 2013 22:42:40 -0700
From: Tony Arcieri <bascule@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Terminology goals

On Tue, Aug 20, 2013 at 1:14 PM, Marsh Ray <maray@...rosoft.com> wrote:

>  Since an authentication scheme for password-based credentials has a
> subtly different set of security properties than general hashing, message
> digesting, MACing, and even key derivation, we should strongly consider
> giving it a different name. The values derived from the generate function.
> For example, we could call it a “pash function” or “pash values”, which you
> could think of as “Password Authentication ScHeme” or just “Password Hash”.
>

I wonder if tying these type of functions to passwords at all is misguided.
"Password hashing functions" have uses outside of passwords. They're useful
for any system where you want to survive the compromise of a PRG which
deterministically acts on some type of low-entropy data (but takes a key,
or "salt", of course)

What about calling them slow hashes?

--
Tony Arcieri

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ