lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jan 2014 11:37:40 +0100
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Native server relief support for password hashing in browsers

On 19.01.2014 18:43, Bill Cox wrote:
[...]
> Does Catena have an option for something like Blakerypt's session
> keys?  If the password is first hashed with a "session key", and the
> attacker doesn't know the session key, brute force attacks become
> impractical, even with leaked early memory and cache timing
> information.  I'd hate to see such defense dropped from the
> competition.  Maybe it's already in use all over, but as I said, I'm a
> password hashing noob.  I simply don't know.  It just seems like a
> great defense for servers.

I'm not familiar with the Blakerypt's session key approach.
Catena supports "Keyed Password Hashing". (see
http://eprint.iacr.org/2013/525.pdf Section 4 page 8) where password
hash is encrypted by the (IND-CPA) secure AES-CTR mode. For the sake of
of simplification, it is likely that we switch to Blake2b-CTR encryption.

IF you are capable of protecting the secret key (e.g., using secure
storage), your are super fine since an adversary have to break AES to
recover your user passwords.

I doubt that this solution is fine for the vast majority of systems with
the key will be stored "together" with the password hashes.

IMHO we can assume that an adversary that has access to your password
hashes has also access to your key.

Best regards,
Christian





Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists