lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jan 2014 15:03:37 -0500
From: Bill Cox <>
Subject: Re: [PHC] Native server relief support for password hashing in browsers

On Sat, Jan 18, 2014 at 2:44 PM, Tony Arcieri <> wrote:
> I suggested to Brendan Eich (via Twitter) that browsers directly implement
> server relief for password hashing functions:
> I think it'd be pretty cool if that happened!

I agree.  One thing I haven't figured out is how to do Blakerypt style
session key protection with server relief.  A Blakerypt session key is
a secret associated with the password which is decrypted with a secret
master key on the server.  So long as it remains a secret, off-line
brute-force attacks become impractical.  It's an awesome extra level
of protection for servers that implement it.  The problem is how can
we keep the session key secret if we broadcast it to clients?  I
suspect this is solvable...


Powered by blists - more mailing lists