| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrWbbUk7y92oYQ0Ju5vvAKv1fUKZe+94GhRWP_DGAkhHkQ@mail.gmail.com> Date: Thu, 24 Mar 2016 10:05:15 -0700 From: Andy Lutomirski <luto@...capital.net> To: discussions <discussions@...sword-hashing.net> Subject: Re: [PHC] hash encryption On Thu, Mar 24, 2016 at 7:34 AM, Solar Designer <solar@...nwall.com> wrote: > On Thu, Mar 24, 2016 at 03:29:34PM +0300, Solar Designer wrote: >> I am considering hashing in round+keylen. > > No, this does not fully do the trick, and is unnecessarily complex to > reason about. > >> Another detail is that 6 least significant bits of keylen don't really >> need to be encoded, but this detail doesn't appear to be of any use, >> unless we were to encode (round + (keylen >> 6)) and declare keylen's >> needing more than 14 bits unsupported. > > This isn't exactly right. It would need to be "number of SHA-256 > blocks" instead of just "keylen >> 6". This gets too complex. > > So not wanting to double the SHA-256 block count for keylen=32 and not > wanting to introduce too much complexity (to code or/and reasoning), we > seem to be limited to either relying on the trick I suggested earlier > (hash in the round number last) or providing a mitigation only for > keylen up to 2^24 (if we use aligned 32-bit words only) or up to 2^48 > (if unaligned, fully using space up to the max of 55 bytes). As a totally different option, you could hash the key and then plug the key's hash into the round function hash. --Andy > > Alexander -- Andy Lutomirski AMA Capital Management, LLC
Powered by blists - more mailing lists