| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jun 2015 19:03:36 -0300 From: Marcos Simplicio <mjunior@...c.usp.br> To: discussions@...sword-hashing.net Subject: Re: [PHC] RE: Why protect against side channel attacks On 24-Jun-15 18:44, Marsh Ray wrote: > To Greg's excellent summary I would just add a couple of further points, probably all have been mentioned before. > >> Suppose a slow-memory attack was demonstrated, and suddenly the attacker hash rate goes up by 10x > > While this sounds dramatic, and is technically a cryptographic weakness, it's not as big of an impact as it sounds. It's a loss of 3.2 bits of security which could be approximately compensated for by increasing the minimum password length by a single character. Just to add to the discussion: NIST does have attempted to measure the number of bits a character would have in its SP.800.63-2, Appendix A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf) By their estimates, each character adds ~1 bit of security after we pass the threshold of 8 alphanumeric chars, even if we assume that the system validates that the password is not in a dictionary and follows good composition rules (see Table A.1). These estimates may certainly be too pessimistic (and I tend to believe so), but, by their analysis, 3 bits is a lot :) (Note that this is not intended as an argument against side-channel resistance, but only to say that, when dealing with passwords, every bit counts). BR, Marcos.
Powered by blists - more mailing lists