lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 18 Sep 2014 14:36:18 +0200
From: Conrad Lampe <s9colamp@...d.uni-saarland.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing

On 09/18/2014 12:37 AM, epixoip wrote:
>
> The most significant threat to password hashing as evidenced by decades
> of password database breaches is offline cracking. That is the primary
> threat that poses the most risk, and compared to the other threats, the
> only one that really matters.
>

While I agree that currently the main threat to password hashing is 
offline cracking I can imagine scenarios where side-channel attacks 
might become feasible when the password hashing function leaks password 
details to a side-channel.

Imagine a non-hardened multi-user linux server. Every user can monitor 
all other users' tasks in a very detailed manner. Waiting for processes 
like su/sudo and measure their execution time may already be enough to 
gather some information on a user's password. In combination with the 
(available) user name and some data mining one could probably craft a 
small list of very likely password candidates.

Assuming the salt is in such cases not available to the attacker (if 
said user has root privileges he can easily backdoor said binaries) it 
might be ok to leak information about the combined (in terms of hashed 
or similarly mangled) pass+salt combination, that does not allow to 
gather any information about the password directly. However, leaking 
information about the actual plain text to side channels is very 
dangerous and should definitely be avoided to prevent new attack vectors.

I have no idea how omegacrypt and the other candidates implement this. 
This is referring to password storage algorithms in general.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ