lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 14:12:57 -0700
From: epixoip <>
Subject: Re: [PHC] omegacrypt and timing

On 9/17/2014 12:20 PM, Krisztián Pintér wrote:
> epixoip (at Wednesday, September 17, 2014, 9:18:02 PM):
>> Password hashing is not cryptography. Timing attacks are not a practical
>> concern in password hashing, especially not with salted schemes.
> how or why is that? i just explained an attack scenario in another
> email. you disagree? also i consider "pwd hash is not crypto" some
> sort of joke.

Definitely not a joke. Just because we prefer to employ crypto
primitives in password hashing schemes does not mean that password
hashing is a crypto problem. It's an engineering problem. Very few
crypto requirements are applicable to the narrow scope of password
hashing. Of course if you're a crypto guy, it might be hard for you to
separate the two. Which might also explain why so many submissions focus
so much on things like cache timing resistance.

Regarding your attack scenario in your other email,

The primary goal of password hashing is to defend against offline
attacks in the event that a password database has been compromised.  The
primary threat model for password hashing starts with the assumption
that the attacker already has the hash+salt from the password database.
The primary goal of the PHC is to design a password hashing scheme that
makes offline attacks less efficient than the current state-of-the-art
(namely bcrypt & scrypt.)

Timing attacks and other side-channel attacks are of far less
importance, especially if they do not provide an attacker with more
information than they would have if they already have the hash+salt.

Powered by blists - more mailing lists