[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOLP8p4TJSnpiU6T6Rtm5R-dRh053vBOgft2K3yrGVnQMpYmEA@mail.gmail.com>
Date: Sat, 8 Mar 2014 22:59:58 -0500
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Are password trailing 0's a problem?
On Sat, Mar 8, 2014 at 7:26 PM, Solar Designer <solar@...nwall.com> wrote:
> On Sat, Mar 08, 2014 at 04:06:11PM -0800, Jeremy Spilman wrote:
>> Just restating what CiC said in bullet form, but seeing it in pseudo-code
>> always helps me. When using password as the HMAC key, the way that PBKDF2
>> does, you end up with:
>>
>> if (password.length < block_size)
>> password = password.pad(0x00, password.length - block_size)
>> else if (password.length > block_size)
>> password = hash(password)
>
> Almost.
>
>> I guess it should be apparent that you can pass the hash of a password
>> longer than the block size in place of the password,
>
> Note that for this the padding should also be applied after the hash is
> computed, which is a detail you lost in the pseudo-code above.
>
>> but I bet 99.9% of people using PBKDF2 would be "shocked" to learn this.
>
> Right. Here's an aspect that I haven't seen mentioned yet:
>
> Suppose someone reuses a >64 chars password on two sites, where e.g. one
> site uses raw SHA-256 and the other uses scrypt. Suppose the raw
> SHA-256 hashes leak. The password might be strong enough not to be
> cracked given the SHA-256 hashes (it's >64 chars). However, the SHA-256
> hash may be used to log in to the site that uses scrypt.
>
> This is probably impractical given that passwords this long are
> extremely rare, but other than that it'd work.
>
> A hurdle is that the SHA-256 hash is likely to contain non-printable
> chars, which might or might not be possible to pass to the login form
> (and have them accepted and reach scrypt).
>
> Alexander
I'm watching the Duke Carolina game and drinking beer, so I probably
should avoid trying to say anything intelligent...
However, while this flaw is certainly not a critical weakness, and
obviously Escript in compatibility mode needs to continue using PBKDF2
as-is, for non-compatible mode, or entirely new password hashing
systems, should we live with such flaws or try to eliminate them?
I wrote up my HKDF2 code today, so I'm in a drunken mood to defend the
thought of dumping the cruft we've inherited and starting with
something new-ish (not new, just an upgrade to HKDF).
Bill
Powered by blists - more mailing lists