lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMVss_qZuObQpugniRmsGJVWMKz4UcgUhh5vhES3p_YNbsV2rw@mail.gmail.com>
Date: Fri, 13 Mar 2015 15:22:39 -0400
From: Justin Cappos <jcappos@....edu>
To: Jeremy Spilman <jeremy@...link.co>
Cc: discussions <discussions@...sword-hashing.net>, 
	polypasswordhasher-dev <polypasswordhasher-dev@...glegroups.com>
Subject: Re: Password hashing by itself is not enough

>
>
> Key management / Protector account management concerns aside, I think it
> is reasonable to say the result (the resulting security posture) of a
> secret key and PolyPass are fairly similar if not exactly the same?
>

Yes, it is effectively the same.   In both cases, one needs to somehow
recover the key before individual cracking passwords.  So in both cases,
there is something the attacker must obtain before performing traditional
password cracking.


Note, I copied the wrong cracking number from my previous email.  With a
> threshold of 5 on RockYou, and an attacker checking for 123456, the time
> would be hundreds of years w/ stretch to 1 check per second.  (1 check per
> second is sane because the defender will only need to do this operation a
> small number of times, often once, per reboot.)
>
>
> That's a very nice feature, to be able to add latency / cost to the key
> recovery process independent of the latency / cost of a password
> verification after the key has been recovered! I will have to read up on
> how you imposed tunable latency on the Shamir secret recovery process.
>

Right now, we just do key stretching on the hash you use to validate the
recovered secret is correct.  So the attacker either has to do the hash
computation, which is slow, or recover k+1 accounts at once to do
validation (which is usually slower).

If someone knows a better way to do something akin to key stretching with a
scheme like Shamir's Secret Sharing, we'd love to hear about it.  :)

Thanks,
Justin

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ