| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52DCFC74.5050701@uni-weimar.de>
Date: Mon, 20 Jan 2014 11:37:40 +0100
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Native server relief support for password hashing in browsers
On 19.01.2014 18:43, Bill Cox wrote:
[...]
> Does Catena have an option for something like Blakerypt's session
> keys? If the password is first hashed with a "session key", and the
> attacker doesn't know the session key, brute force attacks become
> impractical, even with leaked early memory and cache timing
> information. I'd hate to see such defense dropped from the
> competition. Maybe it's already in use all over, but as I said, I'm a
> password hashing noob. I simply don't know. It just seems like a
> great defense for servers.
I'm not familiar with the Blakerypt's session key approach.
Catena supports "Keyed Password Hashing". (see
http://eprint.iacr.org/2013/525.pdf Section 4 page 8) where password
hash is encrypted by the (IND-CPA) secure AES-CTR mode. For the sake of
of simplification, it is likely that we switch to Blake2b-CTR encryption.
IF you are capable of protecting the secret key (e.g., using secure
storage), your are super fine since an adversary have to break AES to
recover your user passwords.
I doubt that this solution is fine for the vast majority of systems with
the key will be stored "together" with the password hashes.
IMHO we can assume that an adversary that has access to your password
hashes has also access to your key.
Best regards,
Christian
Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)
Powered by blists - more mailing lists