lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Sep 2014 22:29:48 +0000 From: Brandon Enright <bmenrigh@...ndonenright.net> To: Krisztián Pintér <pinterkr@...il.com> Cc: discussions@...sword-hashing.net, bmenrigh@...ndonenright.net Subject: Re: [PHC] omegacrypt and timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 18 Sep 2014 00:18:09 +0200 Krisztián Pintér <pinterkr@...il.com> wrote: > epixoip (at Wednesday, September 17, 2014, 11:57:08 PM): > > Then you do not seem to understand what Threat Modeling is. > > a model not chosen in accordance with physical reality is worthless. > if your modeling excludes side channel attacks for whatever reason, > when those are in fact feasible, your model is not a good model of > reality, and your data will be compromised. do you disagree with this? Protecting password storage has a different set of threats and therefor a different set of requirements than many other situations. For example, much of the focus in the SHA-3 competition was on things like: * N-bit security for N-bit output * Collision resistance * Very fast hashing * Low memory usage * Simple implementations in hardware (low area) Absolutely NONE of those requirements are requirements for password storage. In fact, many of the requirements like fast hashing and low memory are actually POOR properties for password storage. We aren't building a KDF here, we're building a password hashing system that resists the most likely and common attacks against stored passwords. If we get a good KDF at the same time great, but it isn't the criteria we should be using to evaluate the quality of the password hashing scheme. Yes a side-channel attack that leaked the length of the password or directly leaked some bits of the password would be bad. That does not mean that every side-channel attack is bad. In which of the most recent password database breaches has a side-channel attack been used? None. But entirely offline cracking of weak hashes has made most of them much worse for users. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlQaC2gACgkQqaGPzAsl94J0JgCfUayjTdVb1X8CbCvE+hVqZQTw ZHgAn0XmRT1LixYIwXokVAull009BByf =vUUc -----END PGP SIGNATURE-----
Powered by blists - more mailing lists