[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <541ADA56.3030900@ciphershed.org>
Date: Thu, 18 Sep 2014 09:12:54 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/18/2014 05:07 AM, epixoip wrote:
> Peregrine:
>
> Please quote the text you are replying to, as I am now doing.
>
> On 9/17/2014 6:58 PM, Peregrine wrote:
>> If we had a widely used password hash function that was extremely
>> secure against offline attacks but leaked enough timing
>> information for attackers to find the password, then offline
>> attacks would severely decline and timing attacks would rise.
>
> descrypt, bcrypt, and scrypt all have theoretical timing attacks,
> yet offline attacks for these algorithms have certainly not
> declined.
>
> I believe a timing attack that actually reveals the password is
> pretty far-fetched. The best you can probably hope for is leaking
> some information that enables early-reject for offline attacks,
> and that's provided you have the hash+salt in addition to the side
> channel. And if an attacker only has the side channel and doesn't
> have the salt, the side channel attack is largely irrelevant.
I tend to agree the attack is still mostly theoretical. However, I
think it is worth adding a bit of complexity to defend against timing
attacks, so long as it does not significantly weaken the main defense.
I added an additional loop to TwoCats, where the first is
timing-attack resistant, but the second loop is unpredictable. Scrypt
also has a timing-resistant first loop, but with it's low memory
requirement, a cache timing attack is pretty strong.
It does make the algorithm more complex. It's not an easy call. I
consider several entries that make no attempt at timing defense of any
kind as still strong candidates. I would rather have one of those
defending my passwords than a pure timing-attack resistant algorithm.
Unpredictability puts extra hurt on brute-force attackers.
Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUGtpSAAoJEAcQZQdOpZUZUEYP/0qabVVBtJVXTU07du7GijoI
XzMGFmYVRYqv0YSuE0Nl2Zi0MPe8Xd6xKhXK0En11OTKrGa9WQn5VBwO5vNcsTY5
F1kqBXAMO76Ue2IV13pS10Rx4ii200hE0Mw0HyJfwP9Ta903BXgp2i+mvqyMo48h
sWbcUtqyTsZYLEpWTB+pWedX8fofh1i86y8i4uxki/1VeK4Wzr/2lbqXs0pwmBMn
RmzcpUPYdLF+ql2nJmHaXcvH2YxNcPhiNE9TGwC/M5hEKg6/WLnE2RKkG8eI3qLL
dUslnLGp3CMJLdG+I9WbxCSA1BsaYyMSliMhq5watlyHRg9tBsMYM+di+RvwDFpA
iYGb1VDvEe2ZjF1k2SPcI426kAWMJNj8fC5GF9AS/w7Qgxi0nO9ydRWWtMzC2Kgj
LvnAwsM9xKXYNL5bTuPimViLDcfPe1JzGyhc6OVDKoAbFNHQlZkBe1mbWIoPD81I
UwMxpeQo0dkSbe2xPRlnYSnXjwEYpz0IJOYWRXb8TjkNORESvCMe5e7Pz6UCCLdw
W8Qni/pk4+p6nT1te2yTkB3jH7EKKTc/5we6/37vXSQc4gBSymSGWDdOsC4LzEMx
9opJr1xcSWwyAUWzNFKk3u3t0s8ASR6/k+Asy5ITUM+6Vwo2XbqNlQi4cuO3xdqI
Yosrb/lVOy/Eop6y77SH
=L3rL
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists