lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Sep 2014 09:12:54 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/18/2014 05:07 AM, epixoip wrote:
> Peregrine:
> 
> Please quote the text you are replying to, as I am now doing.
> 
> On 9/17/2014 6:58 PM, Peregrine wrote:
>> If we had a widely used password hash function that was extremely
>> secure against offline attacks but leaked enough timing 
>> information for attackers to find the password, then offline 
>> attacks would severely decline and timing attacks would rise.
> 
> descrypt, bcrypt, and scrypt all have theoretical timing attacks, 
> yet offline attacks for these algorithms have certainly not 
> declined.
> 
> I believe a timing attack that actually reveals the password is 
> pretty far-fetched. The best you can probably hope for is leaking 
> some information that enables early-reject for offline attacks,
> and that's provided you have the hash+salt in addition to the side 
> channel. And if an attacker only has the side channel and doesn't 
> have the salt, the side channel attack is largely irrelevant.

I tend to agree the attack is still mostly theoretical.  However, I
think it is worth adding a bit of complexity to defend against timing
attacks, so long as it does not significantly weaken the main defense.
 I added an additional loop to TwoCats, where the first is
timing-attack resistant, but the second loop is unpredictable. Scrypt
also has a timing-resistant first loop, but with it's low memory
requirement, a cache timing attack is pretty strong.

It does make the algorithm more complex.  It's not an easy call.  I
consider several entries that make no attempt at timing defense of any
kind as still strong candidates.  I would rather have one of those
defending my passwords than a pure timing-attack resistant algorithm.
 Unpredictability puts extra hurt on brute-force attackers.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUGtpSAAoJEAcQZQdOpZUZUEYP/0qabVVBtJVXTU07du7GijoI
XzMGFmYVRYqv0YSuE0Nl2Zi0MPe8Xd6xKhXK0En11OTKrGa9WQn5VBwO5vNcsTY5
F1kqBXAMO76Ue2IV13pS10Rx4ii200hE0Mw0HyJfwP9Ta903BXgp2i+mvqyMo48h
sWbcUtqyTsZYLEpWTB+pWedX8fofh1i86y8i4uxki/1VeK4Wzr/2lbqXs0pwmBMn
RmzcpUPYdLF+ql2nJmHaXcvH2YxNcPhiNE9TGwC/M5hEKg6/WLnE2RKkG8eI3qLL
dUslnLGp3CMJLdG+I9WbxCSA1BsaYyMSliMhq5watlyHRg9tBsMYM+di+RvwDFpA
iYGb1VDvEe2ZjF1k2SPcI426kAWMJNj8fC5GF9AS/w7Qgxi0nO9ydRWWtMzC2Kgj
LvnAwsM9xKXYNL5bTuPimViLDcfPe1JzGyhc6OVDKoAbFNHQlZkBe1mbWIoPD81I
UwMxpeQo0dkSbe2xPRlnYSnXjwEYpz0IJOYWRXb8TjkNORESvCMe5e7Pz6UCCLdw
W8Qni/pk4+p6nT1te2yTkB3jH7EKKTc/5we6/37vXSQc4gBSymSGWDdOsC4LzEMx
9opJr1xcSWwyAUWzNFKk3u3t0s8ASR6/k+Asy5ITUM+6Vwo2XbqNlQi4cuO3xdqI
Yosrb/lVOy/Eop6y77SH
=L3rL
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists