lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Apr 2014 13:07:31 -0400
From: Patrick Mylund Nielsen <>
To: "" <>
Subject: Re: [PHC] Re: Mechanical tests

On Sun, Apr 6, 2014 at 4:07 AM, Peter Gutmann <>wrote:

> Poul-Henning Kamp <> writes:
> >In message <>, Daniel Franke writes:
> >
> >>The definition of weakly-secure KDF, given in
> >
> >This is not a KDF-contest.
> >
> >This is a password-scrambler contest.
> We know that, but they don't, no matter how big we write it on the web
> site/final specification/media announcement.  If we don't set KDF-style
> requirements then at some point someone is going to run the PHC-winner's
> output through Dieharder and announce on Slashdot/a conference paper/front
> page of the NY Times that the PHC chose a flawed algorithm, and no amount
> of
> trying to explain the difference between a KDF and a PHC will overcome
> that.
> So it had better act as a KDF, whether that was an original design goal or
> not.
> Peter.

Agree with this 100%. There is already more than enough confusion about
what algorithms to use, and how. "Experts" will come in suggesting "using
proven algorithms such as SHA-256", and we'll be back to square one.

It's also not inconceivable that people will actually use the winner as a
KDF. I've personally seen bcrypt be used that way more than once, even
though "it is just a password scrambler."

(Nevermind that it would actually be good to have an even stronger KDF
rather than just a password scrambler, as long as it is extremely easy for
people to use the password scrambler component, i.e. as easy or easier than

"You can use PBKDF2 and scrypt for password authentication, so why
shouldn't you be able to use bcrypt and <PHS> to derive keys?"

Content of type "text/html" skipped

Powered by blists - more mailing lists