lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 14:00:14 -0400
From: Bill Cox <>
Subject: Re: [PHC] babbling about trends

On Thu, Apr 3, 2014 at 1:48 PM, Thomas Pornin <> wrote:
> (Self-promotion: in that model, an algorithm which allows delegation of
> work to untrusted third parties can be quite handy.)
>         --Thomas Pornin

Is it fair to say that the most interesting aspect of your entry is
the delegation capability?  I find that fascinating.  IIRC, there's no
arbitrary hash function called during delegation.  Is it possible to
add a memory-hard hash function call to the delegated password
hashing?  Maybe it's already there... after reading 23 papers, my head
is mush.

Another thing I get confused about is the entries that have server
specific short-cuts in computing the hashes.  Yours seems quite
ingenious to me in that respect, and I know the PHC site called for
such innovations specifically.  However, I get confused as to why this
is better than just having a server master password used to decrypt
password/user specific secret secondary keys?


Powered by blists - more mailing lists