lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Mar 2014 13:44:52 -0400
From: Justin Cappos <jcappos@....edu>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] New password hashing entry: PolyPassHash

>
>
>> Yes.  However, we can split this into two categories:
>
> i. The situation whereby the attacker gains full access to memory and the
> password database and takes the lot, in one go.  This isn't any good for
> monitoring plaintext passwords as they are entered because there isn't a
> persistent access.
>
> ii. The attacker gains full and persistent access.  The exposure of
> plaintext passwords will depend on length of compromise and the frequency
> upon which users sign-in, i.e. it would be much worse, say, in a company's
> internal network than your average web service.
>
> For the most part, we're considering i.  Because with ii. it doesn't
> matter how good the PHC winner is, the attacker has won anyway.
>

Well, why assume memory is necessarily compromised for (i)?   Evidence
shows this is usually not the case: (
http://blog.passwordresearch.com/2013/02/passwords-found-in-wild-for-january-2013.html
https://isis.poly.edu/~jcappos/papers/tr-cse-2013-02.pdf).   [ Full
disclosure, the second study was done by a student of mine.  ]


 So, for i., your scheme is security equivalent to the scheme of storing a
> simple master key in memory.  Personally, I see measures of storing a
> secret key in memory as part of a defense-in-depth approach as I'm
> certainly not going to place all my bets on an attacker not compromising
> memory -- the password hashes, in my view, must themselves provide adequate
> security even when that secret key is compromised.
>

Sure, but if memory is compromised with PolyPassHash, the attacker only
gets the salted secure hash of passwords.   So, in the worst case you end
up with security equivalent to the best case today.

Thanks for all of the feedback by the way.   I was hoping this submission
would be a bit of a curveball and generate some discussion / thought.

Justin

Content of type "text/html" skipped

Powered by blists - more mailing lists