| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+aY-u63jh_fehk6OkrxwHrEJw9D7SN3T5DR0Ow7Wrxs7uFH8g@mail.gmail.com>
Date: Fri, 24 Jan 2014 15:22:56 +0000
From: Peter Maxwell <peter@...icient.co.uk>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] cache timing attacks (Re: [PHC] Initial multiply-compute-hardened
Catena-3 benchmark)
On 24 January 2014 09:46, <Stefan.Lucks@...-weimar.de> wrote:
> On Fri, 24 Jan 2014, Solar Designer wrote:
>
> If this corresponds to a substantial portion of the full hash
>> computation, then that attacker hasn't gained all that much - only a
>> speedup of their offline attack by a certain factor, which we may try to
>> make reasonably small.
>>
>
> Agreed, the speed-up by knowing the memory-access pattern is low, if you
> just count the clock cycles. For scrypt, the speed-up would be about two.
> But you seem to overlook a crucial point.
>
> Once you know the memory access pattern, one can sort out wrong password
> candidates almost *memoryless*. Thus, the attacker can run the attack on a
> memory-constrained massively parallel hardware (e.g., run on a GPU with
> thousands of cores, using only the L1 caches) -- completely defeating the
> entire purpose of using a memory-intense password-hash function!
>
>
Unless I've missed something important, surely that is only if the attacker
has both the collection of hashes+salts *and* continuing access to the
compromised host? In that scenario, is it not likely that the attacker can
also observe plaintext password attempts too?
Content of type "text/html" skipped
Powered by blists - more mailing lists