| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOLP8p7Rtzq19E0rQM6r=2Y5BLCey0fRNj6mqXkxdTViCULr-g@mail.gmail.com>
Date: Thu, 2 Jul 2015 07:20:44 -0700
From: Bill Cox <waywardgeek@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Password hashing as a self-overwriting Turing machine
On Thu, Jul 2, 2015 at 7:16 AM, Bill Cox <waywardgeek@...il.com> wrote:
> On Wed, Jul 1, 2015 at 10:29 AM, Marsh Ray <maray@...rosoft.com> wrote:
>
>> > It resists side-channel attacks based on memory access timing: all
>>
>> > memory indices are controlled by pseudo-random data generated from
>>
>> > the salt, while operations and their order are controlled by
>>
>> > pseudo-random data generated from the salt *and* password.
>>
>>
>>
>> By definition, the salt is not secret. In some use cases, e.g., document
>> encryption, it is even shipped along with the ciphertext.
>>
>>
>>
>> So assuming I know the salt, and I am able to observe via a timing side
>> channel the first few memory accesses from hashing the correct password,
>> then I am able to reject an incorrect guess at the password without having
>> pay most of the cost that should be imposed by the work factor, no?
>>
>
Actually, the password operations are cache-timing independent, so no, you
would not be able to infer anything about the password. All you know is
that a user who uses the salt you somehow know has logged in.
Bill
Content of type "text/html" skipped
Powered by blists - more mailing lists