lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 12:10:27 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] omegacrypt and timing

Yes, you're right. You can save the number of login attempts by doing
password trials offline and select only those that match the timing pattern.

On Wed, Sep 17, 2014 at 12:03 PM, Krisztián Pintér <pinterkr@...il.com>
wrote:

> On Wed, Sep 17, 2014 at 11:53 AM, Dmitry Khovratovich
> <khovratovich@...il.com> wrote:
> > The running time will be different, but the question is how you are
> going to
> > exploit it without full hashing.
>
> it is not the only question. we are focusing too much on a single
> attack: someone having the hashed value, and trying to brute force the
> password. however, we also have the possibility that the attacked does
> not have the hash, but can listen in on side channels. if the hash
> function is side channel protected, attacker learns zero information.
> if there is a timing option, he can infer the password, through brute
> forcing, solely on timing information. the attack went from impossible
> to unfeasible.
>
> before you say, okay, but it is still unfeasible, here is some
> addition: what if i have some information about the password (i hacked
> another site, and i know the password choosing habits of said
> individual), and i can guess the password in 1 million tries. i can't
> attempt to log in a million times, but i can monitor timing, and then
> brute force a 1M search space within a reasonable timeframe. this
> attack is not possible with timing resistant algorithms.
>



-- 
Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists