lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 04 Sep 2014 06:51:11 -0400
From: Bill Cox <>
Subject: A review per day - skipping Makwa

Hash: SHA1

Sorry, but I'm not qualified to comment on the mathematical strengths
or weaknesses of Makwa.  I quickly scanned the code, and it clearly
was written with a solid effort.  It is a bit hard to read in some
places, similar to Yescrypt, but that's probably because the author
handles complexity better than me.  I didn't see any bugs in my quick
scan, and have no useful feedback other than it "passes" my quick scan.

I will say that Makwa is cool, and because it introduces the concept
of work delegation, I think it belongs in the next round.

Just some comments for anyone not familiar with Makwa.  It is not a
memory-hard password hashing scheme, which I consider to be a
weakness, and also why there's not much for me to review.  However, it
enables low-powered devices like a low-end phone to ask for help
authenticating.  Some big untrusted server somewhere is capable of
taking a Makwa authentication request and applying all the t_cost
effort, and returning the result to the low-end phone, without ever
seeing any secret data, such as the user's password.  That's cool!

ASICs are indeed far better at Makwa password hashing than a user's
computer.  However, there's no reason that even a high-end desktop
could not delegate the hashing to an ASIC farm built for this purpose.
 Such a system defeats any ASIC attack I can think of, and GPUs would
not even begin to threaten the system.

It is potentially a revolutionary idea in password authentication.
Instead of every company having an authentication server, we might
have companies providing access to their authentication farms.  Makwa
belongs in the next round, unless the mathematicians have already
trashed it.

However, Makwa does not replace either bcrypt or Scrypt.  If it
becomes a "winner", it should not be at the expense of a winner for
bcrypt and Scrypt upgrades.  For example, no matter how awesome Makwa
becomes, I can't use it in CipherShed, at least when in silent mode,
where CipherShed refuses to ping the Internet.

Version: GnuPG v1


Powered by blists - more mailing lists