lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 May 2015 20:52:19 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks

On Mon, May 04, 2015 at 07:36:05PM +0200, Kriszti?n Pint?r wrote:
> 
> Solar Designer (at Thursday, April 30, 2015, 5:55:05 PM):
> 
> > While you're mostly correct, you're somehow omitting important detail.
> > As discussed before, salting may defeat side-channel attacks on password
> > hashes, as long as the salts are not known/predictable by the attacker.
> 
> this wording is actually accurate, because even secret salts does not
> guarantee safety against side channel attacks. they *may* defeat them,
> but may not.

Right.  I actually introduced that "may" deliberately when editing the
paragraph you quoted.

> i understand that this scenario still isn't exactly "probable". and
> using irreversible mixing functions early can thwart such attempts.
> however for example lyra2 or pomelo, i would not tell at a glance
> whether they can be traced backwards if the internal state is
> partially recovered.

I agree with you on this.  The hashing scheme has to be specifically
designed such that "as long as the salts are not known/predictable by
the attacker", it is immune to side-channel attacks.  And ideally this
should be easy to see.  I think in (ye)scrypt it is easy to see (even
though in scrypt this probably wasn't a deliberate design goal).

Alexander

Powered by blists - more mailing lists