lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Sep 2014 07:33:29 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Improving Makwa and arguing points for or against

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/14/2014 06:13 AM, Steve Thomas wrote:
> I think Makwa has one nice feature: delegation. The fixes needed
> are: required pre-hashing, post hashing, and clearing p and q right
> after they are generated. Replacing e=2**n with e=65537**n also
> require gcd(65537, (p-1)*(q-1))=1. This way you can say it's as
> safe as RSA. I guess that's not really necessary since post hashing
> is now required.

I assume there's some good mathematical reason for 65537, but I can't
comment on that.

I personally feel pre and post hashing is needed, for similar reasons
as you, though it is also impractical to expect random database guys
to be happy with a 2048 bit hash when they've been used to much
smaller.  Imaging editing /etc/passwd with those in it.

> Delegation is cool, but I don't see it as something that will be
> used in the real world. The only arguing points I see are: is
> delegation awesome enough to make it go to the next round, whether
> we can force changes to an algorithm, and whether we can prevent
> the author from saying "you could keep p and q for fast path".

Delegation is cool.  Makwa is in it's own category.  It's not going to
be a PHC winner recommended to replace Scrypt.  However, while
delegation is not something we can use in existing systems very
effectively, it might be key to enabling future security in system we
wish we could build.

In particular, we don't seem to be able to secure the regular
Internet.  How are we going to secure the "Internet of Things"?
Delegation seems like a great way for any low-end system like your
home alarm system to validate your password.  Any random low-end thing
on the Internet that we want to control remotely is a good candidate
for this.

I think it would be a shame to drop the only password hashing scheme
to ever provide delegation.  In comparison, parallel is a great idea -
using GPUs for defense - but that is an idea that needs a lot of work,
IMO.  We need some good GPU guys to write a GPU optimized hashing
function.  Parallel as it stands is not an entry I would recommend we
use as-is.  However, as the only GPU defense entry, I think that
should also remain in the competition.

I'm tracking a group of entries I'm calling "Good ideas" now.  It
includes Parallel, Makwa, and AntCrypt.  Of these three, Makwa is the
only one with an implementation close to ready for prime-time, IMO.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUFX0FAAoJEAcQZQdOpZUZqmUP/jyXjjQZt7fWNZRK8d4S3K5B
BfvrF166H7p6HFgnnQ4MCqk2SQ9ieipZ7rDu+h0mX1wXM1lnaByx7zJO4P/0SBAI
GDcL7IiZe47PtkSk/9TZNxnyhlDiJCnVjvWW8bWJfQV38CHWifTuQgYvoLOZKa0Y
wpmEUBylPZoMzlJnICTHmBYRvhQHl1/KMHhcf56RbDzUi4Msftl3dEG8xPveRAkJ
yX3Eq7bnK+GCAJKhtBCnYAYuW93jlowSx+478qIxEOg1NulDvrJ1uhmCAu3BkFq6
vagd2hWEOmJOD4qZ/td1t3HKD2eJCD8lQnOLHB1JXwZFfKMMWLvuQWF517G6zrA5
KFaz30rleMExvuJN/nFhpWUGGFNbGKfTKXK0cUO7RmEUCM1rPonfkpohTLcVIeRb
4DM1tpWPEbYCcxXWJCtVb8i85TSR6cWFhZWqtCCj9+lfMobXE/yquj3ZEpdsm58d
OzmE0sy+vbVh2+n0jFy+47TokzThfi8o6g0UubThc+6O5s82qsj8F5zgyAwZWlP8
pKeqruTGuacnr3hiVij5MTmXrKoy2gQs5Pl8w7h+M+icMB79ccbnCru9pFKoyFhH
QNUVmfumKAQA8Tqi/kzS91oQbyq/GPrx7Vrnv2ENTXoHR0geiWpALL4cbvcnNkdg
QyRAaoK9QjZNIfV2BSBF
=eLSv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists