lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Sep 2014 07:33:29 -0400
From: Bill Cox <>
Subject: Re: [PHC] Improving Makwa and arguing points for or against

Hash: SHA1

On 09/14/2014 06:13 AM, Steve Thomas wrote:
> I think Makwa has one nice feature: delegation. The fixes needed
> are: required pre-hashing, post hashing, and clearing p and q right
> after they are generated. Replacing e=2**n with e=65537**n also
> require gcd(65537, (p-1)*(q-1))=1. This way you can say it's as
> safe as RSA. I guess that's not really necessary since post hashing
> is now required.

I assume there's some good mathematical reason for 65537, but I can't
comment on that.

I personally feel pre and post hashing is needed, for similar reasons
as you, though it is also impractical to expect random database guys
to be happy with a 2048 bit hash when they've been used to much
smaller.  Imaging editing /etc/passwd with those in it.

> Delegation is cool, but I don't see it as something that will be
> used in the real world. The only arguing points I see are: is
> delegation awesome enough to make it go to the next round, whether
> we can force changes to an algorithm, and whether we can prevent
> the author from saying "you could keep p and q for fast path".

Delegation is cool.  Makwa is in it's own category.  It's not going to
be a PHC winner recommended to replace Scrypt.  However, while
delegation is not something we can use in existing systems very
effectively, it might be key to enabling future security in system we
wish we could build.

In particular, we don't seem to be able to secure the regular
Internet.  How are we going to secure the "Internet of Things"?
Delegation seems like a great way for any low-end system like your
home alarm system to validate your password.  Any random low-end thing
on the Internet that we want to control remotely is a good candidate
for this.

I think it would be a shame to drop the only password hashing scheme
to ever provide delegation.  In comparison, parallel is a great idea -
using GPUs for defense - but that is an idea that needs a lot of work,
IMO.  We need some good GPU guys to write a GPU optimized hashing
function.  Parallel as it stands is not an entry I would recommend we
use as-is.  However, as the only GPU defense entry, I think that
should also remain in the competition.

I'm tracking a group of entries I'm calling "Good ideas" now.  It
includes Parallel, Makwa, and AntCrypt.  Of these three, Makwa is the
only one with an implementation close to ready for prime-time, IMO.

Version: GnuPG v1


Powered by blists - more mailing lists