lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140821212911.GA19245@openwall.com>
Date: Fri, 22 Aug 2014 01:29:11 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] What Microsoft Would like from the PHC - Passwords14 presentation

On Fri, Aug 15, 2014 at 06:17:27PM +0000, Marsh Ray wrote:
> Passwords14 presentation: What Microsoft Would like from the PHC
> 
> Slides attached.
> 
> Video: https://www.youtube.com/watch?v=Kr6ruthF_4k

Very nice presentation, thank you!

Here's a biased opinion:

On slide 14, "Use Case 1 - Online Services", you state "Multiple
authentication servers, each handles 100s of requests/second".  This
means fairly low memory, possibly below 16 MB RAM per hash computed.
(Depends on how many 100s of requests/second per server you need to
support.  Perhaps several times more than the peak seen so far; this is
how we arrived at 1000s per second for yescrypt.)  Then on slide 35,
"Comparison", you list many PHC candidates as supporting all of your use
cases.  To me, some of them are unsuitable for "low memory" usage - they
will work, but they are unlikely to provide GPU attack resistance
comparable to bcrypt's at same defensive request rate capacity.  Is
being at least on par with bcrypt at your use cases not a requirement?

Here's what I think is an error:

Is Pufferfish v0 really side-channel resistant?  I think it's similar to
bcrypt in this respect, and we don't consider bcrypt to be cache-timing
attack resistant, or do we?

(I don't imply that all other PHC candidates with a "Yes" in that column
are necessarily side-channel resistant.  I merely noticed this one
apparent error.  There might be more.)

Thanks again,

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ