| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Sep 2014 05:58:44 +0000 From: Brandon Enright <bmenrigh@...ndonenright.net> To: Thomas Pornin <pornin@...et.org> Cc: discussions@...sword-hashing.net, bmenrigh@...ndonenright.net Subject: Re: [PHC] Cryptographically strong salt is not overkill On Thu, 4 Sep 2014 00:45:29 +0200 Thomas Pornin <pornin@...et.org> wrote: > On Wed, Sep 03, 2014 at 05:37:27PM -0400, Bill Cox wrote: > > If any salt generator that produces data that is distinguishable > > from random data makes it into CipherShed, I will be pretty pissed > > off. Don't forget that some users have a valid need to store the > > salt in plain-text without letting an attacker know that it is in > > fact not just random data. > > I'll still stand by my assertion. A cryptographically strong PRNG > is overkill for a salt. > > [...] However, the need for > strong randomness does not come from the saltness, but from the > other, completely orthogonal constraint coming from your specific > scenario. Even in Bill's scenario a cryptographically strong salt isn't needed. Usually the notion of something being "cryptographically strong" involves the PRNG resisting an attacker gathering long sequences of successive output. For a 128 bit salt, all that's needed is that for a given seed, there is no distinguishing attack utilising only 128 bits of the PRNG output. Even many poor PRNGs are indistinguishable from random when you only have the first 128 bits of their output (e.g. Mersenne Twister). Brandon
Powered by blists - more mailing lists