| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <323958598.1172485.1396873181333.open-xchange@email.1and1.com> Date: Mon, 7 Apr 2014 07:19:41 -0500 (CDT) From: Steve Thomas <steve@...tu.com> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: EARWORM (ROM hard is not enough) The problem I have with EARWORM is that it's only good if the ROM is too big to fit in GPU memory. Currently we have high-end GPUs starting at 4 GiB with 12 GiB being the max (right?). You only need one copy of the ROM in GPU memory and since the state per each password guess is small (64 bytes) you can have several passwords being checked at the same time. Note that the state is parallel so if we increase the state to a few MiB then the attacker will have a different GPU thread for each part (16 bytes). Although they do need to "combine" often so they get the new block index. Also loading a large ROM into memory might not be good for UX in certain cases. This is OK in cases where the ROM is always in memory like authentication servers, but for FDE it might be annoying waiting for it to read a few gigs from disk. Although this isn't a big problem for new SSDs, my craptop would take awhile. I was going to suggest that you use the ROM as the initial state of the RAM and modify as you go but this would probably not be allowed. As this is a large change. I just read that this is what was talked about and it came to the same conclusion of wouldn't happen. Also from what was mention in that thread I think I need to go through these faster so I can get to yescrypt :).
Powered by blists - more mailing lists