lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jul 2015 21:52:51 +0200
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon2 improvement thread

On Tue, Jul 21, 2015 at 12:44:17PM -0700, Bill Cox wrote:
> I also think we should pass a boolean telling Argon2 if it's OK to
> scrub the password buffer passed in once the initial derived key is
> computed.  We talk a lot about garbage-collection attack resistance, and
> then we just leave the password sitting there in it's buffer.  This is
> pretty sad, IMO.

I propose passing two pointers instead, one "const char *" and the other
non-const.  If the non-const pointer is not NULL, then this one will be
used for scrubbing.

Rationale: some reasonable higher-level APIs may already have the const
(or will have), so we'd have to cast it away for the scrubbing if we
used the Boolean parameter approach.

I welcome other thoughts on this, though.  My preference might change.

> Also, have Alexander's concerns about excessive parallelism in Argon2 been
> addressed?  I missed the resolution of this issue.

Not yet.

> Would his suggested MAXFORM (whatever that is) fix it?

Yes, and it'd achieve more than that.

Alexander

Powered by blists - more mailing lists