lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Sep 2014 02:07:33 -0700
From: epixoip <>
Subject: Re: [PHC] omegacrypt and timing


Please quote the text you are replying to, as I am now doing.

On 9/17/2014 6:58 PM, Peregrine wrote:
> If we had a widely used password hash function that was extremely
> secure against offline attacks but leaked enough timing information
> for attackers to find the password, then offline attacks would
> severely decline and timing attacks would rise.

descrypt, bcrypt, and scrypt all have theoretical timing attacks, yet
offline attacks for these algorithms have certainly not declined.

I believe a timing attack that actually reveals the password is pretty
far-fetched. The best you can probably hope for is leaking some
information that enables early-reject for offline attacks, and that's
provided you have the hash+salt in addition to the side channel. And if
an attacker only has the side channel and doesn't have the salt, the
side channel attack is largely irrelevant.

> Also, if an attacker can dump a presumably well-protected file like a
> password database then they can at least run some commands on the
> victim server. Assuming that they can't get timing data because the
> best current attacks are offline is probably a bad assumption.

An attacker doesn't always have the ability to run commands, no. But if
they could, there are several vectors that password hashing can't defend
against if an attacker has a shell, side channels probably being the
least of them (certainly the least practical.)

> The more secure one area of a system is made the more incentive there
> is for attackers to strike elsewhere.

Password hashing isn't so much about security as it is about insurance.

Powered by blists - more mailing lists