lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Apr 2014 11:57:59 -0400
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] POMELO fails the dieharder tests

On Sat, Apr 5, 2014 at 11:40 AM, Bill Cox <waywardgeek@...il.com> wrote:
> I'm trying to figure out what the problems are in PAMELO.  The first
> one is simple.  There's a bug on line 47:
>
>     // load salt into S
>     for (i = 0; i < saltlen; i++)   ((unsigned char*)S)[i] =
> ((unsigned char*)salt)[i];
>
> It should read:
>
>     // load salt into S
>     for (i = inlen; i < saltlen; i++)   ((unsigned char*)S)[i] =
> ((unsigned char*)salt)[i];
>
> The salt is overwriting the password.  I fixed that in my version, but
> the output is still massively non-random.  I printed the output for
> several passwords in dieharder format, and found that output values
> get repeated a ton.  There's at least one more bug in there.

My fix needed some fixing:

    // load salt into S
    for (i = inlen; i < inlen + saltlen; i++)   ((unsigned char*)S)[i]
= ((unsigned char*)salt)[i];
    for (i = inlen + saltlen; i < 160; i++) ((unsigned char*)S)[i] = 0;

This works better.  With the modified, code, POMELO now passes the
first test, the Birthday test.  This is, I believe, similar to
Alexander's favorite test of counting collisions in small integers,
such as 32-bit integer outputs.  Any PHS that passes the Birthday
test, if then run through a cryptographically strong hash such as
SHA2, will then pass any test for randomness.  That's why I consider
it the most important test, since most PHS entries will pass their
output one last time through a cryptographic hash.  If you pass the
Birthday test, and use a cryptographic final hash, you're golden so
far as output randomness goes.

Bill

Powered by blists - more mailing lists