lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 05:12:47 -0500 (CDT)
From: Steve Thomas <steve@...tu.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] antcrypt phs_gen_output()

>  On April 3, 2014 at 5:01 AM atom <atom@...hcat.net> wrote:
>
>  Hey Guys,
>   
>  from antcrypt sources, do I understand this correctly:
>   
>  ctx->state_bytes = some static value based on m_cost
>  *(ctx->stateprefix) = 1;
>   
>  while (...) {
>  ...
>  SHA512((uint8_t *) ctx->stateprefix, ctx->state_bytes + sizeof(uint32_t),
>ctx->rehash);
>  ...
>  *(ctx->stateprefix) = *(ctx->stateprefix) + 1;
>  }
>   
>  In other words, stateprefix will be some fixed value between 1 and a very low
>number, maybe 100? In that case, it's simply a static value an attacker can
>precompute and it will not take alot of memory.
>   

No, it is doing SHA512(LITTLE_ENDIAN_32(prefix) || state) because:
ctx->stateprefix = ((uint32_t*) ctx->state) - 1
and it is given a length of "ctx->state_bytes + sizeof(uint32_t)"

I know it looks confusing I had problems too. This is also very
inefficient the call to phs_store_derived_state() fills the whole
state with SHA512s.

Powered by blists - more mailing lists