lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <541ADA56.3030900@ciphershed.org> Date: Thu, 18 Sep 2014 09:12:54 -0400 From: Bill Cox <waywardgeek@...hershed.org> To: discussions@...sword-hashing.net Subject: Re: [PHC] omegacrypt and timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/18/2014 05:07 AM, epixoip wrote: > Peregrine: > > Please quote the text you are replying to, as I am now doing. > > On 9/17/2014 6:58 PM, Peregrine wrote: >> If we had a widely used password hash function that was extremely >> secure against offline attacks but leaked enough timing >> information for attackers to find the password, then offline >> attacks would severely decline and timing attacks would rise. > > descrypt, bcrypt, and scrypt all have theoretical timing attacks, > yet offline attacks for these algorithms have certainly not > declined. > > I believe a timing attack that actually reveals the password is > pretty far-fetched. The best you can probably hope for is leaking > some information that enables early-reject for offline attacks, > and that's provided you have the hash+salt in addition to the side > channel. And if an attacker only has the side channel and doesn't > have the salt, the side channel attack is largely irrelevant. I tend to agree the attack is still mostly theoretical. However, I think it is worth adding a bit of complexity to defend against timing attacks, so long as it does not significantly weaken the main defense. I added an additional loop to TwoCats, where the first is timing-attack resistant, but the second loop is unpredictable. Scrypt also has a timing-resistant first loop, but with it's low memory requirement, a cache timing attack is pretty strong. It does make the algorithm more complex. It's not an easy call. I consider several entries that make no attempt at timing defense of any kind as still strong candidates. I would rather have one of those defending my passwords than a pure timing-attack resistant algorithm. Unpredictability puts extra hurt on brute-force attackers. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUGtpSAAoJEAcQZQdOpZUZUEYP/0qabVVBtJVXTU07du7GijoI XzMGFmYVRYqv0YSuE0Nl2Zi0MPe8Xd6xKhXK0En11OTKrGa9WQn5VBwO5vNcsTY5 F1kqBXAMO76Ue2IV13pS10Rx4ii200hE0Mw0HyJfwP9Ta903BXgp2i+mvqyMo48h sWbcUtqyTsZYLEpWTB+pWedX8fofh1i86y8i4uxki/1VeK4Wzr/2lbqXs0pwmBMn RmzcpUPYdLF+ql2nJmHaXcvH2YxNcPhiNE9TGwC/M5hEKg6/WLnE2RKkG8eI3qLL dUslnLGp3CMJLdG+I9WbxCSA1BsaYyMSliMhq5watlyHRg9tBsMYM+di+RvwDFpA iYGb1VDvEe2ZjF1k2SPcI426kAWMJNj8fC5GF9AS/w7Qgxi0nO9ydRWWtMzC2Kgj LvnAwsM9xKXYNL5bTuPimViLDcfPe1JzGyhc6OVDKoAbFNHQlZkBe1mbWIoPD81I UwMxpeQo0dkSbe2xPRlnYSnXjwEYpz0IJOYWRXb8TjkNORESvCMe5e7Pz6UCCLdw W8Qni/pk4+p6nT1te2yTkB3jH7EKKTc/5we6/37vXSQc4gBSymSGWDdOsC4LzEMx 9opJr1xcSWwyAUWzNFKk3u3t0s8ASR6/k+Asy5ITUM+6Vwo2XbqNlQi4cuO3xdqI Yosrb/lVOy/Eop6y77SH =L3rL -----END PGP SIGNATURE-----
Powered by blists - more mailing lists