lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.10.1312101922530.9087@debian>
Date: Tue, 10 Dec 2013 19:33:49 +0100 (CET)
From: Stefan.Lucks@...-weimar.de
To: discussions@...sword-hashing.net
Subject: Re: [PHC] blakerypt sequential memory-hard function

>> https://crypto.stanford.edu/~xb/security07/index.html
>
>
> that is very interesting with two remarks:
>
> 1. this design uses indexing on secret. also, i'm not exactly a math
> person, but it appears to me that it is essential to the proof. if i'm
> not mistaken, basically it is a walk based on the secret, without
> which you "get lost in the forest". i wonder if you can circumvent
> this limitation.

Well, theoretically you get two additional bits of security, no more. That 
is quite marginal.

However, in the context of this discussion, it is a natural way to 
implicitely "tweak" the security parameter: When the user chooses a 
password, the password hash iterates until the user presses Ctrl-C (or 
whatever) to stop the iteration.

> 2. though a good initiative, its benefits are not as huge as it first
> seems. we can't expect users to be very sophisticated with their
> choice of parameters.

That is exactly the benefit of Boyen's paper. The user doesn't set a 
parameter, the user waits as long as she is willing to wait, and then 
stops.

> to be user friendly, you probably want to offer
> some preset values, and not just run-till-stopped.

Why do you think some preset values, chosen by whomever, are more user 
friendly then the implicit choice of the parameters by letting the 
password hash run until it feels "long enough"?

>From my point of view, the main benefit of that scheme is that the real 
time the user experiences is a lot more meaningful (for the unexperienced 
user) than any number of iterations, preset choices or not.

> [...] it is also easy
> to listen in on an authentication session, and measure the timing.

Agreed! The two bits of theoretical extra security are hardly worth the 
effort, the improved user friendlyness might be.

A disadvantage is, of course, that the scheme is all about the time, and 
not the memory usage.

------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ