lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 Sep 2014 22:29:48 +0000
From: Brandon Enright <bmenrigh@...ndonenright.net>
To: Krisztián Pintér <pinterkr@...il.com>
Cc: discussions@...sword-hashing.net, bmenrigh@...ndonenright.net
Subject: Re: [PHC] omegacrypt and timing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Sep 2014 00:18:09 +0200
Krisztián Pintér <pinterkr@...il.com> wrote:

> epixoip (at Wednesday, September 17, 2014, 11:57:08 PM):
> > Then you do not seem to understand what Threat Modeling is.  
> 
> a model not chosen in accordance with physical reality is worthless.
> if your modeling excludes side channel attacks for whatever reason,
> when those are in fact feasible, your model is not a good model of
> reality, and your data will be compromised. do you disagree with this?


Protecting password storage has a different set of threats and therefor
a different set of requirements than many other situations.

For example, much of the focus in the SHA-3 competition was on things
like:

* N-bit security for N-bit output
* Collision resistance
* Very fast hashing
* Low memory usage
* Simple implementations in hardware (low area)

Absolutely NONE of those requirements are requirements for password
storage.  In fact, many of the requirements like fast hashing and low
memory are actually POOR properties for password storage.

We aren't building a KDF here, we're building a password hashing system
that resists the most likely and common attacks against stored
passwords.  If we get a good KDF at the same time great, but it isn't
the criteria we should be using to evaluate the quality of the password
hashing scheme.

Yes a side-channel attack that leaked the length of the password or
directly leaked some bits of the password would be bad.  That does not
mean that every side-channel attack is bad.  In which of the most
recent password database breaches has a side-channel attack been used?
None.  But entirely offline cracking of weak hashes has made most of
them much worse for users.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlQaC2gACgkQqaGPzAsl94J0JgCfUayjTdVb1X8CbCvE+hVqZQTw
ZHgAn0XmRT1LixYIwXokVAull009BByf
=vUUc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists