| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2751.1389256327@critter.freebsd.dk>
Date: Thu, 09 Jan 2014 08:32:07 +0000
From: "Poul-Henning Kamp" <phk@....freebsd.dk>
To: discussions@...sword-hashing.net, Bill Cox <waywardgeek@...il.com>
Subject: Re: [PHC] A final cheat killer pass with smoke
In message <CAOLP8p7id+0+o5pArhYSKL6Hx1VuUhNOJ3R9EG5_wkJ5O4_X1A@...l.gmail.com>
, Bill Cox writes:
>--001a11c2aa6a36e0f704ef7fa399
>Content-Type: text/plain; charset=ISO-8859-1
>
>That's what the "smoke" is for. If all an attacker has access to is cache
>miss timing, then simply randomizing the order of of memory access would
>make it virtually impossible to gain information from the timing.
Can I mention another thing which bugs me, now that I've got started ?
The word "random" is not in our dictionary.
We have three parts to work with:
The password, which contains entropy, but which is not random, certainly
not from invocation to invocation.
Salt(s), that can be random, or more likely least pseudo-random,
but we should assume that the attacker knows it.
The algorithm, which is deterministic[1], and which the attacker also
know -- and can optimize.
Please use the word "random" sparesly, most of the time it is unwarranted.
Poul-Henning
[1] I'm personally willing to entertain probablistic algorithms,
but I can't speak for everybody else.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@...eBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Powered by blists - more mailing lists