Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Nov 2013 10:45:03 +0400
From: Solar Designer <solar@...nwall.com>
To: crypt-dev@...ts.openwall.com
Subject: Re: A couple of thoughts on password hashing

Hi,

After having already done much work on an scrypt-inspired new password
hash, I am re-reading some threads here and on other lists where people
posted thoughts on password hashing.  I didn't want them to influence my
thinking too much initially, but now is the time for a sanity check. ;-)

On Sat, Feb 02, 2013 at 05:56:01PM +0100, CodesInChaos wrote:
> A couple of quick thoughts on creating new password hashes:

Thank you for these!  I mostly agree, with the major exception being:

> * For Key derivation in disk encryption, state level attackers with custom
> hardware are an important consideration
>   For login hashes we probably care more about less sophisticated attackers
> with GPUs and perhaps FPGA.

Yes, but:

> * Time-memory trade-offs seem to increase flexibility without benefiting
> attackers. It's trade-offs involving parallelism that are problematic

Time-memory tradeoffs are also problematic for the defender, considering
"less sophisticated attackers with GPUs and perhaps FPGA".  I include
some optional TMTO discouraging measures specifically to better defend
against attackers with non-ASICs (or with less than 100% of their
hardware being ASICs).

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ