lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jan 2014 15:22:56 +0000
From: Peter Maxwell <>
Subject: Re: [PHC] cache timing attacks (Re: [PHC] Initial multiply-compute-hardened
 Catena-3 benchmark)

On 24 January 2014 09:46, <> wrote:

> On Fri, 24 Jan 2014, Solar Designer wrote:
>  If this corresponds to a substantial portion of the full hash
>> computation, then that attacker hasn't gained all that much - only a
>> speedup of their offline attack by a certain factor, which we may try to
>> make reasonably small.
> Agreed, the speed-up by knowing the memory-access pattern is low, if you
> just count the clock cycles. For scrypt, the speed-up would be about two.
> But you seem to overlook a crucial point.
> Once you know the memory access pattern, one can sort out wrong password
> candidates almost *memoryless*. Thus, the attacker can run the attack on a
> memory-constrained massively parallel hardware (e.g., run on a GPU with
> thousands of cores, using only the L1 caches) -- completely defeating the
> entire purpose of using a memory-intense password-hash function!
Unless I've missed something important, surely that is only if the attacker
has both the collection of hashes+salts *and* continuing access to the
compromised host?  In that scenario, is it not likely that the attacker can
also observe plaintext password attempts too?

Content of type "text/html" skipped

Powered by blists - more mailing lists