[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <541AD1C2.8030600@stud.uni-saarland.de>
Date: Thu, 18 Sep 2014 14:36:18 +0200
From: Conrad Lampe <s9colamp@...d.uni-saarland.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing
On 09/18/2014 12:37 AM, epixoip wrote:
>
> The most significant threat to password hashing as evidenced by decades
> of password database breaches is offline cracking. That is the primary
> threat that poses the most risk, and compared to the other threats, the
> only one that really matters.
>
While I agree that currently the main threat to password hashing is
offline cracking I can imagine scenarios where side-channel attacks
might become feasible when the password hashing function leaks password
details to a side-channel.
Imagine a non-hardened multi-user linux server. Every user can monitor
all other users' tasks in a very detailed manner. Waiting for processes
like su/sudo and measure their execution time may already be enough to
gather some information on a user's password. In combination with the
(available) user name and some data mining one could probably craft a
small list of very likely password candidates.
Assuming the salt is in such cases not available to the attacker (if
said user has root privileges he can easily backdoor said binaries) it
might be ok to leak information about the combined (in terms of hashed
or similarly mangled) pass+salt combination, that does not allow to
gather any information about the password directly. However, leaking
information about the actual plain text to side channels is very
dangerous and should definitely be avoided to prevent new attack vectors.
I have no idea how omegacrypt and the other candidates implement this.
This is referring to password storage algorithms in general.
Powered by blists - more mailing lists