lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 14 Aug 2015 14:11:01 -0500
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon2 improvement thread

On 2015-08-14, at 9:12 AM, Thomas Pornin <pornin@...et.org> wrote:

>> unless you want to include generating random salts too.
> 
> Oh yes I do want that.

I emphatically concur.

One of the goals of this whole project is to be able to
provide a simple recommendation to developers that do
not depend on the developer understanding things like salt.

Remember that “developer” covers the range of people
developing cryptographic systems to people coding up website
login pages in PHP.


> It is part of the deal. A simple-to-use API that
> minimizes risks of misuse would offer two functions: one for generating
> the hash _and_ the salt.

> Such an API can be implemented more or less generically around a core
> single-call API that expects the salt as parameter and outputs raw
> binary. However, I think it is important that such an API is provided
> along with the "reference" implementation, because being tagged
> "reference" will lower the probability that other people reinvent it
> poorly.

The difficulty is that the reference implementation should be as
portable as possible, but calls to a CSPRNG are system dependent.

Cheers,

-j

Powered by blists - more mailing lists