lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 May 2015 20:09:38 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks

On Mon, May 04, 2015 at 02:37:48PM +0200, Stefan.Lucks@...-weimar.de wrote:
> Having spent much of my academic life on performing cryptanalysis, i.e., 
> on attacking schemes, the idea to rely on the randomness of the salt 
> doesn't quite convince me, though.

I just recalled an earlier discussion in here where Christian Forler
felt it was OK for Catena to absolutely rely on salt uniqueness for a
feature, and I felt otherwise:

http://thread.gmane.org/gmane.comp.security.phc/612/focus=659

While uniqueness isn't randomness, the similarity is in strong reliance
on a property of the salts.

I think this shows my pragmatism.  When this kind of reliance isn't
absolutely required for a security feature (there was another way to
specify the feature in question), I am against it.  When there's a
tradeoff between a not-yet-practically-relevant weakness and a currently
practically relevant one, I may well choose to accept the former and
mitigate the latter.

Arguably, this also shows Catena team's inconsistency. ;-)  If it's so
bad to rely on some historically not assumed property of salts (e.g.,
with crypt()'s 12-bit salts occasional collisions were assumed), then
just don't, for anything.

Alexander

Powered by blists - more mailing lists