lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 20:22:40 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing


epixoip (at Wednesday, September 17, 2014, 7:17:21 PM):
> I've never heard that this was a no-no in the context of password
> hashing.

what is the fundamental difference between password hashing and other
areas that makes that rule not in effect?

> On the contrary, data-dependent branching is something that has
> been considered highly desireable in password hashing, but viewed as
> difficult to implement in a way where it is actually effective.

it is not contradictory. there can be positive effects, but it does
not make the negative effects nonexistent. one might say the benefits
outweigh the drawbacks.

however, i'm not convinced that a potential break worths the extra
defense. for all algorithms allowing it, i recommend countermeasures
against timing. for schvrch (or what the heck the name is) it is easy,
mostly just a little bit of care. for antcrypt, it is a great impact
on speed. for omegacrypt, there is some impact, but maybe not
devastating.



Powered by blists - more mailing lists