| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150504170938.GA20748@openwall.com> Date: Mon, 4 May 2015 20:09:38 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks On Mon, May 04, 2015 at 02:37:48PM +0200, Stefan.Lucks@...-weimar.de wrote: > Having spent much of my academic life on performing cryptanalysis, i.e., > on attacking schemes, the idea to rely on the randomness of the salt > doesn't quite convince me, though. I just recalled an earlier discussion in here where Christian Forler felt it was OK for Catena to absolutely rely on salt uniqueness for a feature, and I felt otherwise: http://thread.gmane.org/gmane.comp.security.phc/612/focus=659 While uniqueness isn't randomness, the similarity is in strong reliance on a property of the salts. I think this shows my pragmatism. When this kind of reliance isn't absolutely required for a security feature (there was another way to specify the feature in question), I am against it. When there's a tradeoff between a not-yet-practically-relevant weakness and a currently practically relevant one, I may well choose to accept the former and mitigate the latter. Arguably, this also shows Catena team's inconsistency. ;-) If it's so bad to rely on some historically not assumed property of salts (e.g., with crypt()'s 12-bit salts occasional collisions were assumed), then just don't, for anything. Alexander
Powered by blists - more mailing lists