[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+aY-u5oLEidFELjyYsKrUtX6K-XMj31OvOKXk17oBh+Ad-u0g@mail.gmail.com>
Date: Mon, 27 Jan 2014 17:57:47 +0000
From: Peter Maxwell <peter@...icient.co.uk>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Opinions sought on whether a specific side-channel leakage
is ok.
On 27 January 2014 15:39, Alexandre Anzala-Yamajako <anzalaya@...il.com>wrote:
> Even though the trick is neat I would personally be against such an
> exploitable side channel.
> Not everybody is going to use your scheme and people like to reuse
> passwords across different website which means that your scheme allows me
> to check the expected complexity of the password of a given user on another
> website.
> Am i wrong here ?
>
>
Eh, sort of. In the model I'd outlined, an adversary can only determine
p_r, which sits between p_min and p_max, i.e. a range (which could actually
be rather large). Unless the attacker has compromised the system, they
also don't know the distribution used, which could potentially vary between
systems.
Assuming an attacker does gain a good idea of p_r and that the interval
[p_min,p_max] has been configured to be narrow then it doesn't give an
attacker much advantage for that *specific* password on another system:
either the password is of low entropy in which case the attacker's
application level brute force strategy is unchanged, or the password is of
high entropy in which case the attacker cannot brute force at the
application level anyway. The advantage an attacker may get is if he has
complexity measurements for many accounts and knows which accounts have the
lower complexity passwords. Note though, that this requires observing live
login attempts over a period of time; if only the password hashes were
compromised - which seems to be our main threat model - it wouldn't leak
the complexity information and would make the attacker's job much harder
Content of type "text/html" skipped
Powered by blists - more mailing lists