lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Dec 2014 08:01:36 +0100
From: Christian Forler <>
Subject: Re: [PHC] Some KDF stumbling blocks, plus Common "memory-hard" approaches
 and amortized attack costs.

Am 12.12.2014 um 23:38 schrieb Gregory Maxwell:

> When considering the potential of state level attackers  (consider: A
> _single_ F-18 fighter costs around $30 million dollars) concerns
> around amortization and architectural gap reduction seem pretty
> material. (Keep in mind that there are publicly known state operated
> general purpose computers with over 1 petabyte dram).
> A simple PBKDF2 has a strong argument for the minimum energy cost to
> attack it, not just on a desktop but for the best possible attacker
> barring any computer engineering or mathematical breakthrough.

Against state level attackers you might need a KEYED password hashing
scheme, since a low entropy secret is no match against those kinds of
attackers. A password that is protected by a 256-bit key should
withstand even state level attackers (e.g., NSA).

The state spends billions of dollars for espionage. Thus, I doubt that
the energy cost to recover a 40-bit secret protected by PBKDF2
matters at all.

BTW. At page 24, of our current Catena specification [1] we proposed a
keyed password hashing approach that thwarts off-line attacks.


Best regards,

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists