lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 04 Sep 2014 06:19:47 -0400
From: Bill Cox <>
Subject: Re: [PHC] [SPAM?] Re: [PHC] A review per day - MCS_PHS

Hash: SHA1

On 09/04/2014 02:33 AM, Mikhail Maslennikov wrote:
> Sorry, may be you analize old version MCS_PHS? New version (ver.2)
> was upgraded 30.08.2014, as wrote JP. In ver.2 I remove do ...
> while cycle. If you have problems to find latest version, you can
> download it from

You're right!  I reviewed the old code.  Sorry.  The new code does is
indeed a lot easier to read.  Line 72 doesn't make it harder to read,
but I think it is more common to just let the for loop execute 0
times, so 72 could be deleted.

More importantly, if you could change the order of your variable
parameters in the Hash function, it will make life easier for users
and reviewers.  That random variable order is what made me think you
must be a mathematician (that plus the fact that you are a hashing
function enthusiast).  They never seem to agree on variable order.  We
can't even get them to use HMAC with the password and salt in a
consistent order!  That is a real pain.  Every time I review code that
calls HMAC, I have to go check which variable order they used in the

> About reducing hash degree from 64 to outlen.  I want to use one
> specific feature of MCSSHA8 hash function: if Hi(M) and Hj(M) -
> hash with length i and j for some fixed message M, so this values
> will be different as random values for any not equal i and j. One
> of possible attack on Password Hashing Scheme like PBKDF could be
> Dictionary Attack, when attacker try to build dictionary for 
> transformation hash->Hash(hash). In "standart" PBKDF it's enough to
> build dictionary only for one hash function H, but if we use
> MCS_PHS it's neccessary to buid dictionary for each of different
> Hi. About internal buffer clearning - agree with you. Now I try to
> prepare ver.3 whith this clearning. About "some oddities in the
> code" and "fearful of using it" - please, look latest version. May
> be it will be not so "fearful". About mathematician - it's true. 
> Thank you. Mikhail Maslennikov 04.09.2014, 01:18, "Bill Cox"
> < <>>:

I'd love to discuss more about the merits of how you are hashing, but
I wont.  This list has already had to put up with me learning the
basics of password hashing schemes.  They don't need to put up with me
learning about hashing functions.  Your new code is a lot less scary,
and with the variable order fixed, it would pass my code review.

Thanks for the reply, and sorry about reviewing the old version.

Version: GnuPG v1


Powered by blists - more mailing lists