lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.11.1505041908470.2010@debian>
Date: Mon, 4 May 2015 19:32:37 +0200 (CEST)
From: Stefan.Lucks@...-weimar.de
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel
 Attacks

On Mon, 4 May 2015, Solar Designer wrote:

> I just recalled an earlier discussion in here where Christian Forler
> felt it was OK for Catena to absolutely rely on salt uniqueness for a
> feature, and I felt otherwise:
>
> http://thread.gmane.org/gmane.comp.security.phc/612/focus=659
>
> While uniqueness isn't randomness, the similarity is in strong reliance
> on a property of the salts.
>
> I think this shows my pragmatism.  When this kind of reliance isn't
> absolutely required for a security feature (there was another way to
> specify the feature in question), I am against it.  When there's a
> tradeoff between a not-yet-practically-relevant weakness and a currently
> practically relevant one, I may well choose to accept the former and
> mitigate the latter.
>
> Arguably, this also shows Catena team's inconsistency. ;-)

I see the smiley, but I don't get the joke. This is wrong for two reasons:

Firstly, there is a simple logical implication, which holds for all salts 
of decent sizes (like 128 bit for PHC):

     If the salt is random
     then it is unique (except with negligible probability).

Thus, by relaxing the requirement (from random to unique) we get a 
stronger scheme. And by inverting the requirement (from unique to random) 
you get a weaker scheme.

You try to generate a counterexample to the logical implication by 
discussing 12-bit salts from old unix crypt. But this is 2015 and PHC, 
unix crypt is history.

Secondly, Christian has actually been pointing out the development for 
encryption and authenticated encryption. Initially, many (mostly 
un-authenticated) encryption schemes assumed a random "initial value". 
Later, authors of encryption schemes just assumed unique nonces. By 
weakening the schemes, they got stronger cryptography. Currently, the 
discussion among cryptographers is about robust schemes: Even if you 
assume a unique nonce for authenticated encryption, does it make sense to 
maximise the remaining security you can preserve if nonces are 
accidentally reused?

Of course, the Catena team consists of different human beings which may 
have different opinions on some issues, or even change their opinion over 
time. Maybe, that is what the smiley was about?

So long

Stefan

------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ