| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150504175219.GA21278@openwall.com> Date: Mon, 4 May 2015 20:52:19 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks On Mon, May 04, 2015 at 07:36:05PM +0200, Kriszti?n Pint?r wrote: > > Solar Designer (at Thursday, April 30, 2015, 5:55:05 PM): > > > While you're mostly correct, you're somehow omitting important detail. > > As discussed before, salting may defeat side-channel attacks on password > > hashes, as long as the salts are not known/predictable by the attacker. > > this wording is actually accurate, because even secret salts does not > guarantee safety against side channel attacks. they *may* defeat them, > but may not. Right. I actually introduced that "may" deliberately when editing the paragraph you quoted. > i understand that this scenario still isn't exactly "probable". and > using irreversible mixing functions early can thwart such attempts. > however for example lyra2 or pomelo, i would not tell at a glance > whether they can be traced backwards if the internal state is > partially recovered. I agree with you on this. The hashing scheme has to be specifically designed such that "as long as the salts are not known/predictable by the attacker", it is immune to side-channel attacks. And ideally this should be easy to see. I think in (ye)scrypt it is easy to see (even though in scrypt this probably wasn't a deliberate design goal). Alexander
Powered by blists - more mailing lists