lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 04 Sep 2014 06:51:11 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: A review per day - skipping Makwa

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry, but I'm not qualified to comment on the mathematical strengths
or weaknesses of Makwa.  I quickly scanned the code, and it clearly
was written with a solid effort.  It is a bit hard to read in some
places, similar to Yescrypt, but that's probably because the author
handles complexity better than me.  I didn't see any bugs in my quick
scan, and have no useful feedback other than it "passes" my quick scan.

I will say that Makwa is cool, and because it introduces the concept
of work delegation, I think it belongs in the next round.

Just some comments for anyone not familiar with Makwa.  It is not a
memory-hard password hashing scheme, which I consider to be a
weakness, and also why there's not much for me to review.  However, it
enables low-powered devices like a low-end phone to ask for help
authenticating.  Some big untrusted server somewhere is capable of
taking a Makwa authentication request and applying all the t_cost
effort, and returning the result to the low-end phone, without ever
seeing any secret data, such as the user's password.  That's cool!

ASICs are indeed far better at Makwa password hashing than a user's
computer.  However, there's no reason that even a high-end desktop
could not delegate the hashing to an ASIC farm built for this purpose.
 Such a system defeats any ASIC attack I can think of, and GPUs would
not even begin to threaten the system.

It is potentially a revolutionary idea in password authentication.
Instead of every company having an authentication server, we might
have companies providing access to their authentication farms.  Makwa
belongs in the next round, unless the mathematicians have already
trashed it.

However, Makwa does not replace either bcrypt or Scrypt.  If it
becomes a "winner", it should not be at the expense of a winner for
bcrypt and Scrypt upgrades.  For example, no matter how awesome Makwa
becomes, I can't use it in CipherShed, at least when in silent mode,
where CipherShed refuses to ping the Internet.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUCEQbAAoJEAcQZQdOpZUZ47YP/1p00VklhVDQBjYjSnJHE4Kr
Nb79Tq0ygY8wcoBfHAZ1I5U2rB+NtYbALXqHIAojv5Zc/4ryVyp4DFqYuHUU0fnu
ZHEG0RkEw4W1gVqUwv9peADpTLSSM5b+KewvsSglE0TCmroxbzmL8B/yuNiBXwgn
1Jc8J9vfNbAEcys68ISjmw/3/jEQgkiesQkfmKVpheeP3rR56STWyG9hAjEzwB5z
Ovq4XCQWDex2Bz7SV+rh7W/LHw8x4dVnaCcUHqi03suWtcdaYwYwSwVLPcG6MuHF
59FDYL/c+cE9b7cBbBZ8z2XvFxmCsFGoSqmLcK0ozLYa1LsyyvApS0/hFvTFv3En
0YAF8dlaGj5PE2k6TxKUO4tnCQZQPa6PMO88XZJ6gZdHesbWaDrZKsQSDXc/c67l
LoHYqrUukRy6V9m/HK2Du3Ex4F5JkzwRvsQ7dFziazJ4CQ4O4eylKsk+8pEd946z
8y1bnadn7U5EMdUjklsw+FF+htpCnaPOfDXKywdLn5iF6LDNFuK+fPVIxI3QMHgy
RenLuU2mPcvCLPUhsLEewvUW7qSkbwIwXtrD5gpfDA/EXpe+vCiVtntdOupaTkUK
seDP/EASc0rvl/DbZ2Flk/sDgkg0XdRofiOYsPD+XuuClvVq2pmo2HJRvikAV5tl
O4NcGZ9YZHm+Qqz8HaYk
=Bf8I
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists