lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Apr 2015 19:14:48 +0200
From: Thomas Pornin <>
Subject: Re: [PHC] Argon2 modulo division

On Tue, Apr 21, 2015 at 07:01:29PM +0200, Krisztián Pintér wrote:
> side channel attacks not only bypass the computational hardness. it is
> false that in case of a succesful attack, the hashing scheme reverts
> back to a single hash, or a half-hash if there are two phases. side
> channels are much more sinister. it is possible to steal the password
> in situations when it was not at all possible without them.

However, one should note that when side channel attacks apply, they tend
to have a large scope. For instance, if you have two VM running on the
same multi-core hardware, code from one VM may spy on the processing in
the other VM through cache timing analysis (it has been demonstrated in
lab conditions, but I have not -- yet -- heard about an actual case
spotted in the wild). Of course this means that the attacker (the evil
VM) will try to get passwords and encryption keys; but the attacker
may also try to attack every single other processing that occurs within
the target VM.

Arguably, if a machine hashes passwords, then this means that it
enforces some sort of explicit or implicit authentication system, and,
in many cases, that the machine processes at some point confidential
data. Any such processing is a potential target for side-channel attacks.

We cryptographers tend to concentrate on cryptographic algorithms,
because that's our jobs, and also because cryptographic keys (and
passwords) concentrate secrecy: guessing a key or password unlocks
access to a lot of things. But we must remember that using constant-time
cryptographic algorithms handles only the "tip of the iceberg". It would
be wrong to believe, or make users believe, that by using a
"constant-time password hashing function" all security issues have been

A consequence is that if you are really serious about the security of
your server, then you will take wider protective measures against timing
attacks -- basically, you rent a physical server, not a VM(*). At which
point side-channel leaks from the password hashing function have ceased
to be an issue.

This is not a simple problem. What I want to say is that the context
matters. It is _nice_ if a password hashing function offers protection
against side-channel leaks, because it opens up some new possibilities,
but only as part of a whole-system design that protects every
confidential data within it against the same kind of leak. Unfortunately
this is very hard to do, unless you use heavy artillery (dedicated
hardware), and the nice protection offered by the password hashing
function then loses a lot of its relevance.

Therefore, I don't think that offering constant-time processing is a
_mandatory_ part of any password-hashing function. It is good to have,
it scores extra points, but a function that does not do anything special
against side-channel leaks is not irremediably unsuable either.

(That being said, Makwa offers constant-time processing, leaking only
the password length, not the password contents; and, as I wrote in
another email, this can and should be fixed in the caller, not the
function itself.)

	--Thomas Pornin

(*) Cache-timing attacks on a physical server, from the outside, have
also been demonstrated, but they required some rather specific
conditions, in particular an attacker on the same LAN, and a lot of
attacker-triggered requests, something which is not easy to obtain when
the target is a password entered by a legitimate user.

Powered by blists - more mailing lists