[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140904055844.14ce2905@lambda>
Date: Thu, 4 Sep 2014 05:58:44 +0000
From: Brandon Enright <bmenrigh@...ndonenright.net>
To: Thomas Pornin <pornin@...et.org>
Cc: discussions@...sword-hashing.net, bmenrigh@...ndonenright.net
Subject: Re: [PHC] Cryptographically strong salt is not overkill
On Thu, 4 Sep 2014 00:45:29 +0200
Thomas Pornin <pornin@...et.org> wrote:
> On Wed, Sep 03, 2014 at 05:37:27PM -0400, Bill Cox wrote:
> > If any salt generator that produces data that is distinguishable
> > from random data makes it into CipherShed, I will be pretty pissed
> > off. Don't forget that some users have a valid need to store the
> > salt in plain-text without letting an attacker know that it is in
> > fact not just random data.
>
> I'll still stand by my assertion. A cryptographically strong PRNG
> is overkill for a salt.
>
> [...] However, the need for
> strong randomness does not come from the saltness, but from the
> other, completely orthogonal constraint coming from your specific
> scenario.
Even in Bill's scenario a cryptographically strong salt isn't needed.
Usually the notion of something being "cryptographically strong"
involves the PRNG resisting an attacker gathering long sequences of
successive output.
For a 128 bit salt, all that's needed is that for a given seed, there is
no distinguishing attack utilising only 128 bits of the PRNG output.
Even many poor PRNGs are indistinguishable from random when you only
have the first 128 bits of their output (e.g. Mersenne Twister).
Brandon
Powered by blists - more mailing lists