lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 15 Aug 2015 11:23:11 -0400
From: Jeremy Spilman <>
To: "" <>
Subject: Re: [PHC] Passwords15 BSidesLV talks

A question I wanted to ask at the talk but didn't get the chance...

I guess with Encrypt-then-MAC an attacker can still just check the MAC but that would involve;

a) calculating the MAC key, which is typically chained off the encryption key possibly with additional work factor

b) streaming the entire cipher text through the hash function

Whether this is faster than skipping the MAC key derivation and hash step and going straight to decrypting the entire ciphertext and applying the ANT I guess could vary. But in any case it's a better lower bound than decrypting just one block.

Is that right?

> On Aug 14, 2015, at 2:40 PM, Jeffrey Goldberg <> wrote:
>> On 2015-08-13, at 4:49 PM, Greg Zaverucha <> wrote:
>> Thanks Alexander!
>> For folks on this list who are interested and familiar with crypto, it may be faster to look at my tech report explaining the idea
> Thanks.
> As I said then. This is one of those really cool ideas that makes perfect sense once someone actually points it out. I’ve always been bothered by the fact that an attacker may just need to decrypt a single block or check a MAC while the defender needs to decrypt the whole thing, but I never really thought about doing anything about it. So thanks again.
> Cheers,
> -j

Powered by blists - more mailing lists