lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 05 Apr 2014 14:12:23 -0400
From: Daniel Franke <dfoxfranke@...il.com>
To: "Poul-Henning Kamp" <phk@....freebsd.dk>
Cc: discussions@...sword-hashing.net
Subject: Re: [PHC] Re: Mechanical tests

"Poul-Henning Kamp" <phk@....freebsd.dk> writes:

> This is not a KDF-contest.
>
> This is a password-scrambler contest.

This message's thread-grandparent was a reply to Peter Maxwell, who wrote:

> No, PHK's definition was, probably provably, correct (for password
> hash or key derivation)‚Äč, assuming the *full* output is being used.

I'm not disputing your (PHK's) claim that a function outputing 1000 bits
with only 100 bits of entropy can be an acceptable password
scrambler. I'm disputing Peter's claim that it can also be an acceptable
KDF, and well as any claim (which I'm not attributing to anyone) that it
can be an acceptable collision-resistant hash function.

If this were a KDF contest rather than a password hashing contest, I
wouldn't have bothered submitting EARWORM, which (due to its use of
PBKDF2-HMAC-SHA256) allows the adversary to win the KDF game in two
queries, the first query consisting of a long string, and the second
consisting of its SHA256 hash. Even if I swapped out PBKDF2-HMAC-SHA256
for something else, EARWORM would still be completely impractical as a
KDF due to its reliance on a large ROM.

Nevertheless, one of the evaluation criteria in the call for submissions
is

> * Cryptographic security: the function should behave as a random
> function (random-looking output, one-way, collision resistant, immune
> to length extension, etc.)

and here's one of the FAQ entries:

> Is there a formal mathematical definition of the security of a password hashing scheme? 
>
> Attempts of formal definition of secure key-derivation scheme can be found in
>
> * Yao, Yin; Design and Analysis of Password-Based Key Derivation Functions; CT-RSA 2005
> * Krawczyk; Cryptographic Extraction and Key Derivation: The HKDF Scheme; CRYPTO 2010
>
> These definitions can be summarized as 'the hash should behave randomly
> with respect to any of its input'. However these definitions only
> partially address the actual security of a key derivation scheme (and
> of a PHS more generally); they do not address the security informally
> defined as 'the scheme should minimize the efficiency of attackers
> working with GPUs and FPGAs'.

So, discussion of KDFs clearly seems to be on topic here, even if not
all PHC entries are required or intended to be suitable as such.

Powered by blists - more mailing lists