lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2014 10:06:45 +0000 (UTC)
From: Teath Sch <teathsch@...lcity.com>
To: discussions@...sword-hashing.net
Subject: Re: Tortuga issues

Bill Cox <waywardgeek@...> writes:

> 
> I wonder if it would make sense to combine threads about different
> hashing schemes somehow...
> 
> Tortuga fails on both windows and Linux for > 1MiB m_cost, due to
> allocating hashing memory on the stack.  The algorithm relies on a
> sponge construction called "Turtle".  I'm not sure if this is a
> documented sponge construction or a new one, but the mixing looked
> iffy to me (is that scientific enough?), so I generated random data
> with it bash it using:
> 
> for i in `seq 400000`; do ./test 256 1 1 $i s; done > foo
> 
> I added a print statement to test.c to print every 4 bytes of output
> as an unsigned int.  This generated over 23MiB before I killed it,
> which I fed into the dieharder tests.  It failed the first test, the
> birthday test.
> 
> What this means is that with t_cost == 1, and m_cost == 1, the output
> hash for different passwords is not very random at all.  It's possible
> the error is in my code to print the data, but I think I got it right.
>  I would recommend that the author generate output hashes for many
> input passwords and verify that they pass some statistical tests for
> randomness, such as the dieharder tests.  There may be some simple bug
> in his code causing this result.
> 
> I think I'm going to have to do this test on all 24.  Is someone
> working to create a standard test for each PHS function?  It would be
> simple to call that for each entry and test the resulting hashes for
> basic randomness.
> 
> Bill
> 
>

Yikes...

Here's what happens when I print binary:

./test 32 16 256 "hello" "world"
00001001:11010011:00011100:01100000:10111111:10010010:11101111:11000110:1010
0110:01111111:11101101:00001011:11110000:11100101:11100101:01110111:10110001
:10000011:01000011:11101011:11010011:10011010:00101101:10100111:00101001:100
11000:10011001:11011001:10111110:10101101:11000010:01111000

I think what this tells us is that you can't cheat by iterating a sponge 
function that was instantiated with a weak permutation.

Teath

Powered by blists - more mailing lists