lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Apr 2015 00:07:54 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon2 modulo division


Marcos Antonio Simplicio Junior (at Tuesday, April 21, 2015, 11:36:07 PM):

> - If the memory accesses are all password-dependent, then it is
> easier to discard guesses even before the memory is filled.
> - If the memory accesses are all password-independent, then it is
> easier to eliminate memory latencies from the attack costs even with
> cheap memory (just prefetch what  you need soon before you use it).

there is a very siginificant difference between leaking a secret and
allowing for some performance optimizations. the former is a break,
the latter is just reducing the security margin by some. if we don't
have the proper security margin, having an extra 50% cost won't change
much. actually even doubling the cost is equivalent of only 1 bit
password strength. you maybe educating the user to have one more
character in the password does more for us than a tight cost
requirement.

also we need to bear in mind that defender can optimize as well,
especially in case of simple access patterns. a simple pre-reading of
the values in time will give you that, with some added complexity. i
was actually thinking about doing that, but discarded the idea for
simplicity.


Powered by blists - more mailing lists