lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 May 2015 20:22:17 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks

On Mon, May 04, 2015 at 07:08:22PM +0200, Stefan.Lucks@...-weimar.de wrote:
> On Mon, 4 May 2015, Solar Designer wrote:
> 
> >Now our options are: use solely hashes and comparison functions that are
> >side-channel safe(*) even without cryptographically random salts, or/and
> >require cryptographically random salts.  The latter hardens existing
> >software too - such as uses of strcmp() on password hashes in lots of
> >existing software.
> 
> Not at all. Don't require cryptographically random salts, but try to 
> generate them nevertheless. ;-)
> 
> THAT harends existing software too.
> 
> This is the counterpart to requiring cryptographically random salts 
> without actually generating them

Fair enough.

> -- which would weaken your sovtware.

We're already sort of requiring cryptographically random salts for
bcrypt and strcmp(), if we care about those leaks.  So relative to that,
no, preserving the same reliance does not weaken anything.

Alexander

Powered by blists - more mailing lists