lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Sep 2014 07:10:39 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - EARWORM (and a request to the judges)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2014 06:55 AM, Bill Cox wrote:
> It might even be doable on a bot-net.  In a bot-net example, each
> node would hash against 2GiB.  They would have a queue of maybe
> several MiB of partially hashed passwords.  After hashing them all,
> they would be sent to the next node over the Internet.  In his
> case, the Internet bandwidth dominates, but at 256KiB/s, that's
> still 4096 guesses per second, which isn't bad for a bot-net node.

Actually, that would be 4096 password updates per second.  The number
of updates required is set by the t_cost parameter.  The minimum is 1,
in which case this attack is especially ugly since no communication
between botnet nodes is required.  Even with the fix, the minimum
t_cost needs to be high enough to make communication bandwidth between
nodes a heavy limiting factor.  The arena size could be decreased to
help compensate for increasing the minimum t_cost.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUFCYrAAoJEAcQZQdOpZUZcCIQAIfn5aNSTX8kVSWO/eZyH/We
bYGo1GuPGaoas5P08zLLgp8wWbXY7yBx/cm7XwLSt1V/gsV2mdyAeoDtLV0m90kB
8qG6SeWBOKQduMjngCYipLCjT6uAnUCU0Sah18U33Wult2C9XBAD8i2jGQZLvUKy
Ld4xiv8MPwiiAl3VeKlS0Y4IsKwYV5wBMoA8QyLoBxJ/Tyln0j8PA9/8bs6W9u+S
vTHJuxoHlsHAB1zsn5iDNbqV4faPaDP4CbflLUaHZ+5Kv52JUVfhgq89kZrLyXSU
CZ+gso32glNpiLLZOzhupqEvz8xJ6GRtKnpNZ1yFtZ1Hb703mQhZEPYVqNJlA3oi
0BJ4GFgfJlhnRy4fN5+pNZnI9meVXHEbhSs6UCAjInQZu1o7+wOZmXkesQpV9WsC
6cL1/iZP7FIhml9Ec09zoKNfOZspp+4rjY6vDLAEIlFrXALoC50LKCVB+WSyiGsC
/bfTx1tpsGLXm+FBIn0n5t8WbuN61CKVshcPNaaM2ingyW1mRXmguFgfywr2WCBn
+8j+sENuTlPZbr1WLovMDO8BPfpCtmVjfQYDI6s6geIeNuUvf26tVlYDrZ9/zWrm
WhmSvUgKp0qp5oWxzfCO8x2eSSgdJWx7SutN4zRA1fOKEFxBHWkJ+c2L6CutgnXq
m9vMHaBHzOcXPr1H1gcW
=KbnP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists