lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jan 2014 18:24:40 +0100
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Scripting memory (not so) high vs Catena in PHP (with optimizations)

On 13.01.2014 11:55, Solar Designer wrote:

>>> I think the side-channels issue may be mitigated by combining both
>>> approaches: switching to the risky secret-dependent indexing at some
>>> point during hash computation, so that the impact of a potential
>>> early-reject (possible after side-channel monitoring) is fairly low.
>>
>> This is OK until you upgrade your hashes then it will do the secret-dependent
>> indexing throwout.
> 
> Then it will start the secret-dependent indexing _relatively_ earlier,
> but that's at the same time as pre-upgrade in absolute terms.
> 
> I think this is just one of many issues/drawbacks with supporting and
> using hash upgrades.  Another/worse drawback is that area-time cost for
> upgraded hashes is lower than it can be for same-duration new hashes.

> The hash upgrading idea would have been great in 1990s, when we were not
> trying to use much memory.  These days, it is not as great.  (Yet I had
> it on my slides from PHDays 2012 and later.)

I respectfully disagree. :-)

Thanks to Moore's law you have to upgrade your security parameters at
some point in the future (Just compare a Amiga 2000 vs current COTS PC).

Without CI-updates, todays password hashes will become easy prey for
future (say 2030) state-of-the-art password-cracking frameworks. It is a
common wisdom that from time to time security parameters has to be updated

Do you really recommend use todays security parameters in a world where
computers have both 2^10 times more memory and computational power?

The problem of inactive users will not vanish, and I think the PHC
candidates should address this issue. :-)


Best regards,
Christian




Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists