lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Sep 2013 19:25:29 +0000
From: Marsh Ray <maray@...rosoft.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: RE: [PHC] further limitation: not writing secret to memory

> From: Krisztián Pintér [mailto:pinterkr@...il.com]
> Sent: Wednesday, September 18, 2013 11:49 AM
> Subject: Re: [PHC] further limitation: not writing secret to memory
> 
> Steve Thomas (at Wednesday, September 18, 2013, 7:58:25 PM):
> > I'm pretty sure page locked memory [...] never gets written to swap.
> 
> on a windows box, there are multiple ways of telling the OS not to swap a
> memory block. but neither of those guarantees anything. i'm not a linux guy,
> but as i'm informed, you can't do that ony linux either.

I expect both OSes have ways of allocating non-paged memory. But bad things^TM will happen if you use too much of it.

These PHC algorithms will need to be tunable to consume lots of memory. Even worse, once the credentials have been stored its parameters will no longer be tunable.

+1 on encrypting the address bus, although doing this in such a way that doesn't put the defender at a disadvantage presents a challenge.

- Marsh

Powered by blists - more mailing lists