lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Jul 2015 07:20:44 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Password hashing as a self-overwriting Turing machine

On Thu, Jul 2, 2015 at 7:16 AM, Bill Cox <waywardgeek@...il.com> wrote:

> On Wed, Jul 1, 2015 at 10:29 AM, Marsh Ray <maray@...rosoft.com> wrote:
>
>>  > It resists side-channel attacks based on memory access timing: all
>>
>> > memory indices are controlled by pseudo-random data generated from
>>
>> > the salt, while operations and their order are controlled by
>>
>> > pseudo-random data generated from the salt *and* password.
>>
>>
>>
>> By definition, the salt is not secret. In some use cases, e.g., document
>> encryption, it is even shipped along with the ciphertext.
>>
>>
>>
>> So assuming I know the salt, and I am able to observe via a timing side
>> channel the first few memory accesses from hashing the correct password,
>> then I am able to reject an incorrect guess at the password without having
>> pay most of the cost that should be imposed by the work factor, no?
>>
>
Actually, the password operations are cache-timing independent, so no, you
would not be able to infer anything about the password.  All you know is
that a user who uses the salt you somehow know has logged in.

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists