Date: Fri, 13 Feb 2015 04:16:10 +0300 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: wrong comment in sha512crypt_fmt_plug.c On Thu, Feb 12, 2015 at 06:05:01PM +0300, Aleksey Cherepanov wrote: > It looks like there is a wrong comment in cryptsha512_fmt_plug.c : > > /* For every character in the password add the entire password. */ > for (cnt = 0; cnt < 16 + ((unsigned char*)crypt_out[index]); ++cnt) > SHA512_Update(&alt_ctx, cur_salt->salt, cur_salt->len); > > It is #18 according to > http://www.akkadia.org/drepper/SHA-crypt.txt > " > 18. repeast the following 16+A times, where A represents the first > byte in digest A interpreted as an 8-bit unsigned value > > add the salt to digest DS > " > > The comment is from the original code: > /* For every character in the password add the entire password. */ > for (cnt = 0; cnt < 16 + alt_result; ++cnt) > sha512_process_bytes (salt, salt_len, &alt_ctx); Ouch. This is actually a (minor) security shortcoming in SHA-crypt. I wonder why they're doing this - it doesn't appear to be in md5crypt. As far as I can tell, they do it for no reason at all. I brought this to Twitter: <solardiz> SHA-crypt running time depends not only on password length, but also on password characters. See algorithm step 18. http://www.akkadia.org/drepper/SHA-crypt.txt <solardiz> Also, SHA-crypt reference source code comment corresponding to step 18 doesn't match the spec and the code. http://www.openwall.com/lists/john-dev/2015/02/12/2 <@solardiz> @0xdeadb @kragen The unusual aspect about SHA-crypt's timing leak is that it's in an algorithm step that wasn't needed at all <@solardiz> @0xdeadb @kragen Luckily, it's mitigated by having the salt mixed in as well, so it can't be exploited without stealing/inferring the salt Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.