lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jul 2015 16:14:14 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] patents

On Sat, Jul 18, 2015 at 12:22 PM, Solar Designer <> wrote:

> On Thu, Jul 16, 2015 at 02:17:30PM -0700, Bill Cox wrote:
> > I think Jeremy might be able to rework his patent into a "business-model"
> > patent.  I am not personally aware of anyone offering to do the password
> > hashing with a central ROM under the control of another company that
> > provides this as a service.  This is what I think his company does.
> > Assuming he wants to carve out this space narrowly, he might be able to
> > convince the patent office to allow his patent with the additional steps
> of
> > transmitting the salted password hash over the Internet from a client
> > company to the company providing the ROM hashing service, after the first
> > hashing the password with a secret salt which is never transmitted.  I
> > think Jeremy's main idea which _might_ be new is securing the password
> hash
> > with secret salt before transmitting it to an untrusted ROM-based hashing
> > service.  It's not a bad idea, but it is not what he patented.
> I wouldn't be happy with seeing this patented either, in part since I
> was also thinking in the same direction back in 2012, and I am still
> considering starting a business like this myself.  Now that I have
> learned of Jeremy's patent and the older one, I felt I'd have to focus
> solely on the delegation and port-hardness aspects, with non-secret ROM.
> As an extra and a partial mitigation of making the ROM non-secret, I
> think using a secret key that is not part of the large ROM would still
> be OK.

Well, if you base your company in Russia, I doubt any US software patents
will keep you from running your business for most non-US customers.  Oh,
the joys of software patents... Consider it a gift from the US to our
competitors who are sane enough to ignore our software patents :)

> > His patent
> > covers any sane use of ROM in password hashing, and therefore is invalid
> > due to prior art.
> It is not my understanding that any sane use of ROM in password hashing
> is covered by the patent(s).  I think port-hardness with a non-secret
> ROM is not covered.  But I am not a patent lawyer.
> Alexander

I agree.  It is only the use with secret ROM that seems to be covered, and
the 2006 patent covers this ground anyway.


Content of type "text/html" skipped

Powered by blists - more mailing lists