lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Apr 2014 13:58:49 -0400
From: Bill Cox <>
Subject: Re: [PHC] Best use of ROM in password hashing

Here's another N-way ROM splitting attack, and this one should work for
*any* PHS using ROM, regardless of how much RAM is hashed.  The goal is to
decrease the cost of the ROM to the attacker per guessing node while
maintaining good ROM bandwidth per node.  An attacker simply splits the ROM
into N pieces, and builds a fast permutation network to route from the N
pieces to say N/2 computation nodes.  During any block read loop, most of
the N/2 cores could have lone access to the ROM data they need.  The cost
of the permutation network is O(N*log(N)), so N should be chosen to keep
the permutation network's cost well under the cost of N ROMs.

I really don't see any good way to prevent an attacker from making use of
parallel small ROMs and some data routing hardware, so counting on the cost
of the ROM and it's bandwidth limitations as primary deterrents may not
work out well.  It doesn't hurt to add those to a defender's array of
defenses, but the primary time*cost is likely to be due to the memory
hashing algorithm.  I think Alexander enjoys adding more spikes in his
defense wall, and ROM cost and bandwidth are just two more the attacker
will have to overcome.  If I were an attacker looking at a full blown
Yescript (with the enhancements Alexander has mentioned), I'd just throw up
my hands and go hack accounts somewhere else :-)


Content of type "text/html" skipped

Powered by blists - more mailing lists