lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Sep 2014 21:29:47 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: Re: [PHC] omegacrypt and timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/17/2014 06:37 PM, epixoip wrote: > On 9/17/2014 3:18 PM, Krisztián Pintér wrote: >> epixoip (at Wednesday, September 17, 2014, 11:57:08 PM): >>> Then you do not seem to understand what Threat Modeling is. >> a model not chosen in accordance with physical reality is >> worthless. if your modeling excludes side channel attacks for >> whatever reason, when those are in fact feasible, your model is >> not a good model of reality, and your data will be compromised. >> do you disagree with this? > > Again, you don't seem to understand how Threat Modeling works. No > threats are excluded from the threat model, but the access vector, > complexity, probability, and impact are all a factor in determing > whether a threat actually poses significant risk. Threats that do > not pose any significant or measurable risk are largely > inconsequential. > > The most significant threat to password hashing as evidenced by > decades of password database breaches is offline cracking. That is > the primary threat that poses the most risk, and compared to the > other threats, the only one that really matters. > > > > Krisztian is not the only author in the competition I have trouble understanding. I think we've agreed that we simply disagree on many issues and have moved on. For example, Keccak is he silver bullet? Time for me to move on... now in *hardware*, I'm a Keccak fan. I'd love building Keccak cores in ASICs, probably to attack any entry using Keccak. However, I think you hit pretty close to the mark when you said password hashing is mostly an engineering problem. That's how I view it. I agree we're here to primarily introduce improved algorithms over bcrypt and Scrypt. As a life-long engineer, this seems like a problem I can work on. When I see people sacrifice 2.5X or more defense efficiency to protect against attacks we haven't even seen in the wild, it just kills me. I had fun today starting work on a new password hashing algorithm that incorporates several interesting ideas I discovered in my reviews. I am using Krisztian's sponge (also found in Lyra2 and Tortuga), Schvrch's Wolfram Rule 30, and AntCrypt's large set of hashing cases. It also copies some more of Bcrypt's small unpredictable reads defense. I'm not sure how it will turn out, but it's awesome playing with all these ideas. I'm hoping it will turn out to be highly defensive against GPUs. Hopefully the best yet. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUGjWHAAoJEAcQZQdOpZUZAxkQAIk0LkoASmlLgZoMe4VYiG5q ClkPuNnKwthG5baRFahOOUYulVYcyB5d3bYPQcyWd2dO8RKp0I8cYuuP8Vw/OCpm SjTnZE/nU95Gt402eX/u+yuTA1TQlShlTL0ZuzEKVHa/6ovHEq5UEfSraXIb7vk1 7xsWahEwmeqA8r7mje6PmT2y8q5WaFJrhrxoloPpexSvxxJkNtLYgAGHdXpHmmli KHuRH1Nii+Ka8u6b0W5SJ3SGuy/EboQ/W88vc8G3YTbnmZ3XaJ6HPKUiiCT0mzJW +0tEVoJKoRDEObgpf2CMlCRwpr926fmB2k0tPeaGx6S8i0zF5crl8CdIXueij/99 3562DrVC8GNZRv5hjjbGACSAps+gV/CRh5ATbvuXi24hlL4kmNOFBXbLJTbctHka 5/ijWh3zIs4gf1ZNg9xKVm3VDJBzoMcPRqxK876L3vk2VIvFCBalrI5zOr98DLjx wTyrWy99IDvOu/T5CHsNKjs39f0QSp+OKgwQLfcj8IxowAqoTQBpXtnJO4R+b8w1 edkXy/pwTBJ7z+6MNak19eRq7oLYv93fOGVzj8LiJtv1JjmW3/RSqwOERNsur5lh HFdcW+VKz9u1wTC/Uy3OHeYWM9ytPzp541GenNBMiFjimuhGVSGh7I+ZdYg+ypfS PxVPOtnwBuEkFEB80lB9 =qsk9 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists