lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 Jan 2014 17:57:47 +0000
From: Peter Maxwell <peter@...icient.co.uk>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Opinions sought on whether a specific side-channel leakage
 is ok.

On 27 January 2014 15:39, Alexandre Anzala-Yamajako <anzalaya@...il.com>wrote:

> Even though the trick is neat I would personally be against such an
> exploitable side channel.
> Not everybody is going to use your scheme and people like to reuse
> passwords across different website which means that your scheme allows me
> to check the expected complexity of the password of a given user on another
> website.
> Am i wrong here ?
>
>
Eh, sort of.  In the model I'd outlined, an adversary can only determine
p_r, which sits between p_min and p_max, i.e. a range (which could actually
be rather large).  Unless the attacker has compromised the system, they
also don't know the distribution used, which could potentially vary between
systems.

Assuming an attacker does gain a good idea of p_r and that the interval
[p_min,p_max] has been configured to be narrow then it doesn't give an
attacker much advantage for that *specific* password on another system:
either the password is of low entropy in which case the attacker's
application level brute force strategy is unchanged, or the password is of
high entropy in which case the attacker cannot brute force at the
application level anyway.  The advantage an attacker may get is if he has
complexity measurements for many accounts and knows which accounts have the
lower complexity passwords.  Note though, that this requires observing live
login attempts over a period of time; if only the password hashes were
compromised - which seems to be our main threat model - it wouldn't leak
the complexity information and would make the attacker's job much harder

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ