| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Dec 2014 08:01:36 +0100
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Some KDF stumbling blocks, plus Common "memory-hard" approaches
and amortized attack costs.
Am 12.12.2014 um 23:38 schrieb Gregory Maxwell:
> When considering the potential of state level attackers (consider: A
> _single_ F-18 fighter costs around $30 million dollars) concerns
> around amortization and architectural gap reduction seem pretty
> material. (Keep in mind that there are publicly known state operated
> general purpose computers with over 1 petabyte dram).
>
> A simple PBKDF2 has a strong argument for the minimum energy cost to
> attack it, not just on a desktop but for the best possible attacker
> barring any computer engineering or mathematical breakthrough.
Against state level attackers you might need a KEYED password hashing
scheme, since a low entropy secret is no match against those kinds of
attackers. A password that is protected by a 256-bit key should
withstand even state level attackers (e.g., NSA).
The state spends billions of dollars for espionage. Thus, I doubt that
the energy cost to recover a 40-bit secret protected by PBKDF2
matters at all.
BTW. At page 24, of our current Catena specification [1] we proposed a
keyed password hashing approach that thwarts off-line attacks.
[1]
http://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v2.1.pdf
Best regards,
Christian
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists