lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 21:29:47 -0400
From: Bill Cox <>
Subject: Re: [PHC] omegacrypt and timing

Hash: SHA1

On 09/17/2014 06:37 PM, epixoip wrote:
> On 9/17/2014 3:18 PM, Krisztián Pintér wrote:
>> epixoip (at Wednesday, September 17, 2014, 11:57:08 PM):
>>> Then you do not seem to understand what Threat Modeling is.
>> a model not chosen in accordance with physical reality is
>> worthless. if your modeling excludes side channel attacks for
>> whatever reason, when those are in fact feasible, your model is
>> not a good model of reality, and your data will be compromised.
>> do you disagree with this?
> Again, you don't seem to understand how Threat Modeling works. No 
> threats are excluded from the threat model, but the access vector, 
> complexity, probability, and impact are all a factor in determing 
> whether a threat actually poses significant risk. Threats that do
> not pose any significant or measurable risk are largely
> inconsequential.
> The most significant threat to password hashing as evidenced by
> decades of password database breaches is offline cracking. That is
> the primary threat that poses the most risk, and compared to the
> other threats, the only one that really matters.

Krisztian is not the only author in the competition I have trouble
understanding.  I think we've agreed that we simply disagree on many
issues and have moved on.  For example, Keccak is he silver bullet?
Time for me to move on... now in *hardware*, I'm a Keccak fan.  I'd
love building Keccak cores in ASICs, probably to attack any entry
using Keccak.

However, I think you hit pretty close to the mark when you said
password hashing is mostly an engineering problem.  That's how I view
it.  I agree we're here to primarily introduce improved algorithms
over bcrypt and Scrypt.  As a life-long engineer, this seems like a
problem I can work on.  When I see people sacrifice 2.5X or more
defense efficiency to protect against attacks we haven't even seen in
the wild, it just kills me.

I had fun today starting work on a new password hashing algorithm that
incorporates several interesting ideas I discovered in my reviews.  I
am using Krisztian's sponge (also found in Lyra2 and Tortuga),
Schvrch's Wolfram Rule 30, and AntCrypt's large set of hashing cases.
 It also copies some more of Bcrypt's small unpredictable reads
defense.  I'm not sure how it will turn out, but it's awesome playing
with all these ideas.  I'm hoping it will turn out to be highly
defensive against GPUs.  Hopefully the best yet.

Version: GnuPG v1


Powered by blists - more mailing lists