Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [cryptography] New Anonymity Network for Short Messages

Eugen Leitl eugen at leitl.org
Wed Jun 12 06:25:33 PDT 2013


----- Forwarded message from Wasa <wasabee18 at gmail.com> -----

Date: Wed, 12 Jun 2013 14:11:25 +0100
From: Wasa <wasabee18 at gmail.com>
To: cryptography at randombit.net
CC: Eugen Leitl <eugen at leitl.org>
Subject: Re: [cryptography] [liberationtech] New Anonymity Network for Short Messages
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6

On 11/06/13 20:06, Eugen Leitl wrote:
> Use a timing-independent array
> comparison<http://rdist.root.org/2010/01/07/timing-independent-array-comparison/>.
> It's an easy fix. I've made the same mistake before, which is why I always
> look for it now.
the page says "Usually it's not, but if these were passwords instead
of cryptographic values, it would be better to hash them with PBKDF2
<http://en.wikipedia.org/wiki/PBKDF2> or bcrypt
<http://www.mindrot.org/projects/py-bcrypt/> instead of working with
them directly."
if you are indeed comparing passwords thru their
hashed/bcrypt'ed/pbkdf2'ed representations; you would now leak info
about whether or not those representations mach. You have essentially
shifted the problem to their hashes. I don't believe this is enough.

if users have simple password, this theoretically allows someone to
brute force password offline once attackers know the
hashed/bcrypt'ed/pbkdf2'ed representation (leaked thru the side
channel mentioned above; e.g. timing). Yes it is better than plain
text password but not bullet proof. Let H be the representation of the
password using an (iterative) hash; then wouldn't it be better to
compare H(N,The_pwd) and H(N,attempt_pwd), where N is picked randomly
each time the comparison is performed?
This way, every time you compare pwds; the H representation changes,
and you cannot do offline brute force search.


BTW, scrypt is also better than bcrypt/pbkdf2 against pwd cracking.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the liberationtech mailing list