| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <op.xqsddvy1yldrnw@laptop-air> Date: Fri, 12 Dec 2014 19:02:09 -0800 From: "Jeremy Spilman" <jeremy@...link.co> To: discussions@...sword-hashing.net Cc: gmaxwell@...il.com, "Thomas Pornin" <pornin@...et.org>, cormac@...rosoft.com Subject: Re: [PHC] Some KDF stumbling blocks, plus Common "memory-hard" approaches and amortized attack costs. > On Fri, Dec 12, 2014 at 10:38:05PM +0000, Gregory Maxwell wrote: >> I am saddened that none of the proposals supported delegation scheme >> with information-theoretic security ( which are possible, >> https://bitcointalk.org/index.php?topic=311000.0 ) On Fri, 12 Dec 2014 16:22:58 -0800, Thomas Pornin <pornin@...et.org> wrote: > (Minor terminology nitpick: none of the above is "information-theoretic > security". That term designates algorithms that remain secure against > attackers with unbounded computing abilities. By definition, this cannot > apply to password hashing, where exhaustive search always succeeds in > the long run. Also, anything involving a non-prime modulus can be broken > by factoring the modulus.) I was reading Florêncio, Herley and Oorschot's recently published 'Administrator's Guide to Internet Password Research' a couple weeks ago (http://research.microsoft.com/pubs/227130/WhatsaSysadminToDo.pdf) and in it I found a curious reference...; [15] G. D. Crescenzo, R. J. Lipton, and S. Walfish. Perfectly se- cure password protocols in the bounded retrieval model. In TCC, pages 225–244, 2006. This is certainly the earliest reference I've found yet of applying the 'security by obesity' concept. Crescenzo offers a formal proof for security against a computationally unbounded attacker in the bounded retrieval model (e.g. physically too big to steal over the network). What I've been calling Blind Hashing takes the bounded retrieval model (wish I knew that term back in 2012!) and combines it with delegation to a untrusted central data pool using a keyed hash to adaptively index the data pool and retrieve a second [512-bit] salt/key for use in further hashing. We're still beta / pre-launch (soon, soon!) but a write-up is here: https://medium.com/@TapLink/the-password-defense-league-c416ceaedb33. I felt it's mainly out-of-scope for PHC since it works in concert with any hashing function, and it's a commercial service to boot, but there is zero chance of me passing up an opportunity to discuss delegation and information-theoretic security with GMaxwell, TPornin, and CHerley on the PHC list!
Powered by blists - more mailing lists