| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <loom.20140404T120009-647@post.gmane.org> Date: Fri, 4 Apr 2014 10:06:45 +0000 (UTC) From: Teath Sch <teathsch@...lcity.com> To: discussions@...sword-hashing.net Subject: Re: Tortuga issues Bill Cox <waywardgeek@...> writes: > > I wonder if it would make sense to combine threads about different > hashing schemes somehow... > > Tortuga fails on both windows and Linux for > 1MiB m_cost, due to > allocating hashing memory on the stack. The algorithm relies on a > sponge construction called "Turtle". I'm not sure if this is a > documented sponge construction or a new one, but the mixing looked > iffy to me (is that scientific enough?), so I generated random data > with it bash it using: > > for i in `seq 400000`; do ./test 256 1 1 $i s; done > foo > > I added a print statement to test.c to print every 4 bytes of output > as an unsigned int. This generated over 23MiB before I killed it, > which I fed into the dieharder tests. It failed the first test, the > birthday test. > > What this means is that with t_cost == 1, and m_cost == 1, the output > hash for different passwords is not very random at all. It's possible > the error is in my code to print the data, but I think I got it right. > I would recommend that the author generate output hashes for many > input passwords and verify that they pass some statistical tests for > randomness, such as the dieharder tests. There may be some simple bug > in his code causing this result. > > I think I'm going to have to do this test on all 24. Is someone > working to create a standard test for each PHS function? It would be > simple to call that for each entry and test the resulting hashes for > basic randomness. > > Bill > > Yikes... Here's what happens when I print binary: ./test 32 16 256 "hello" "world" 00001001:11010011:00011100:01100000:10111111:10010010:11101111:11000110:1010 0110:01111111:11101101:00001011:11110000:11100101:11100101:01110111:10110001 :10000011:01000011:11101011:11010011:10011010:00101101:10100111:00101001:100 11000:10011001:11011001:10111110:10101101:11000010:01111000 I think what this tells us is that you can't cheat by iterating a sponge function that was instantiated with a weak permutation. Teath
Powered by blists - more mailing lists