lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 02 Sep 2014 09:20:00 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - Schvrch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 09/02/2014 08:32 AM, Krisztián Pintér wrote:
> On Tue, Sep 2, 2014 at 2:11 PM, Bill Cox
> <waywardgeek@...hershed.org> wrote:
> 
>> I do believe that basic input checking should be part of the
>> reference design.
> 
> two observations.
> 
> 1. no, at this stage, we don't need input checking at all. this is
> not a library, but a reference. that is, documentation of the
> algorithm.
> 
> 2, even in a library, i suggest using only assert-s, if at all.
> such a low level subprogram does not have any better means of
> communicating an error condition that should not happen in the
> first place. it is the responsibility of the caller to use correct
> parameters.
> 

While I disagree,  input range checking is only a minor tweak.  I
think you would agree that this must be done before the PHC publishes
reference code for the statement  I am doing a *lot* of attacking PHC
candidates right now, I personally would appreciate input checking, so
I don't waste time showing that an entry is weak against invalid
inputs.  I appreciated POMELO's statement that t_cost + m_cost  should
be >= 8 for reasonable security.  That kept me from launching attacks
with lower values, where I think I could do some damage.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUBcP9AAoJEAcQZQdOpZUZ8s0P/j5+yMxYxM4hwIlU/ENVmGSS
ePMpn0/+sKgReu/8yi68cbvLj7IG1muQ2y2xUtBOdGX4SDm8yCy0J4DgkKTFqQWi
QwHCgFqrPInoTCATePC+WS9tOwjEb4z25S/jyogLK0iURJ7mxzzcm7PZ7w7YML19
/WnRSc3/xMf6CO9tRGyEGCbg0tHFasN6+eyNZpO85xl1S/L8+lIwyltDDyNDwR4K
Fp5TskFTbAQdhPto4nqySKl2H3H6UBfnV1hqxi2jZ5qk17pX6BM7vMq3+sbm0Fu9
1bmeYLZu7f4nqzEfrCEaIebFWBcGcnTBH4N2XTLeZ/KGmZej2sNURZeKDmv2rDdP
dZuVfefbNj4pXoPXLHN3M+bRm+O2tET0uQodGrIuPacNnO95wK1T+riMKBQ0ByP0
Pm/gGPfEpIAVN0zQheTDLk3F40f88C/qVhOH7CTemxeDslXHB6wHOoYPIMD6jEqX
Ku2rQTfUuTGjadSufbLcOjVn4lE0uOwtV8SLWErnuF+GNH0/knpaBnTLIgPfQrw+
zY4f9hZvgY5Xby2LF/WaPkQtj3p9z4CUnRupuioHL/tG6ap9cglxk3+52BFqW8R8
paT0bQsjdpCDSNyenIgDvpCAMsYgpEx5I1Go659A99sly4eMFCjZL8t/NMrSmNvC
+dBH2zwLFa8GDPKzsfjy
=seQZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ