| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Sep 2014 06:51:11 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: A review per day - skipping Makwa -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, but I'm not qualified to comment on the mathematical strengths or weaknesses of Makwa. I quickly scanned the code, and it clearly was written with a solid effort. It is a bit hard to read in some places, similar to Yescrypt, but that's probably because the author handles complexity better than me. I didn't see any bugs in my quick scan, and have no useful feedback other than it "passes" my quick scan. I will say that Makwa is cool, and because it introduces the concept of work delegation, I think it belongs in the next round. Just some comments for anyone not familiar with Makwa. It is not a memory-hard password hashing scheme, which I consider to be a weakness, and also why there's not much for me to review. However, it enables low-powered devices like a low-end phone to ask for help authenticating. Some big untrusted server somewhere is capable of taking a Makwa authentication request and applying all the t_cost effort, and returning the result to the low-end phone, without ever seeing any secret data, such as the user's password. That's cool! ASICs are indeed far better at Makwa password hashing than a user's computer. However, there's no reason that even a high-end desktop could not delegate the hashing to an ASIC farm built for this purpose. Such a system defeats any ASIC attack I can think of, and GPUs would not even begin to threaten the system. It is potentially a revolutionary idea in password authentication. Instead of every company having an authentication server, we might have companies providing access to their authentication farms. Makwa belongs in the next round, unless the mathematicians have already trashed it. However, Makwa does not replace either bcrypt or Scrypt. If it becomes a "winner", it should not be at the expense of a winner for bcrypt and Scrypt upgrades. For example, no matter how awesome Makwa becomes, I can't use it in CipherShed, at least when in silent mode, where CipherShed refuses to ping the Internet. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUCEQbAAoJEAcQZQdOpZUZ47YP/1p00VklhVDQBjYjSnJHE4Kr Nb79Tq0ygY8wcoBfHAZ1I5U2rB+NtYbALXqHIAojv5Zc/4ryVyp4DFqYuHUU0fnu ZHEG0RkEw4W1gVqUwv9peADpTLSSM5b+KewvsSglE0TCmroxbzmL8B/yuNiBXwgn 1Jc8J9vfNbAEcys68ISjmw/3/jEQgkiesQkfmKVpheeP3rR56STWyG9hAjEzwB5z Ovq4XCQWDex2Bz7SV+rh7W/LHw8x4dVnaCcUHqi03suWtcdaYwYwSwVLPcG6MuHF 59FDYL/c+cE9b7cBbBZ8z2XvFxmCsFGoSqmLcK0ozLYa1LsyyvApS0/hFvTFv3En 0YAF8dlaGj5PE2k6TxKUO4tnCQZQPa6PMO88XZJ6gZdHesbWaDrZKsQSDXc/c67l LoHYqrUukRy6V9m/HK2Du3Ex4F5JkzwRvsQ7dFziazJ4CQ4O4eylKsk+8pEd946z 8y1bnadn7U5EMdUjklsw+FF+htpCnaPOfDXKywdLn5iF6LDNFuK+fPVIxI3QMHgy RenLuU2mPcvCLPUhsLEewvUW7qSkbwIwXtrD5gpfDA/EXpe+vCiVtntdOupaTkUK seDP/EASc0rvl/DbZ2Flk/sDgkg0XdRofiOYsPD+XuuClvVq2pmo2HJRvikAV5tl O4NcGZ9YZHm+Qqz8HaYk =Bf8I -----END PGP SIGNATURE-----
Powered by blists - more mailing lists