discussions.mbox

From leontiad@gmail.com  Jeu fÃ©v 14 20:43:56 2013 +0000
Return-Path: <leontiad@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10147 invoked by uid 89); 14 Feb 2013 20:43:55 -0000
Received: by simscan 1.4.0 ppid: 10141, pid: 10143, t: 0.2557s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.5 required=4.0 tests=EMPTY_MESSAGE,HTML_MESSAGE,
	MISSING_SUBJECT,RDNS_NONE,TVD_SPACE_RATIO autolearn=no version=3.2.5
X-Spam-Report: 
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
	*  1.8 MISSING_SUBJECT Missing Subject: header
	*  1.4 EMPTY_MESSAGE Message appears to have no textual parts and no
	*      Subject: text
	*  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
Received: from unknown (HELO mail-qe0-f53.google.com) (209.85.128.53)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 14 Feb 2013 20:43:55 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.53 as permitted sender)
Received: by mail-qe0-f53.google.com with SMTP id 1so1269882qee.26
        for <discussions@password-hashing.net>; Thu, 14 Feb 2013 12:43:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:date:message-id:subject:from:to
         :content-type;
        bh=AIbW4PAf3wW9lT9Gz5qZ9vE2P8LlZ3wy00PsknJ4Yzg=;
        b=Jo1QweNm4epMJfY9Sm9itbUcIwijyJBbKSjdW0SG3GfpK1qZ/JgvgZufLD1iMm6Q7D
         YR0PgWl62+34ef+yJreGJujJXc02ieUC2OrpU36U4D6bTW3IXALGMx3pTIc1wrHV7LG6
         5bUIBxXL1TwJxzAYZOs/U4nvK47CuskTgUlaA6jap834tIW0Vpeny/XbuMWmkIzNDzPn
         QZxFHqlYj+9mofi2hOnb6yXBZWRhhR6L/ddIFev2R56T4sxqK1cyI+GZzV54U3xpHKDV
         sTAvgzFtPkm1IzvgZcnIIyJ8lgvd+uM+pFttRgzDfJmhnpRE2LUDsCtKFZPeizRJxPCt
         tG1A==
MIME-Version: 1.0
X-Received: by 10.49.127.240 with SMTP id nj16mr34401qeb.13.1360874634444;
 Thu, 14 Feb 2013 12:43:54 -0800 (PST)
Received: by 10.229.92.13 with HTTP; Thu, 14 Feb 2013 12:43:54 -0800 (PST)
Date: Thu, 14 Feb 2013 21:43:54 +0100
Message-ID: <CADPYE1EAFp4Dw=07gfHRVD4JT-2yXY6P0-B11a=FOQthenXMVw@mail.gmail.com>
Subject: [SPAM?] 
From: Iraklis <leontiad@gmail.com>
To: discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=047d7b6d96242b814904d5b551d8
X-Spam-Prev-Subject: 

--047d7b6d96242b814904d5b551d8
Content-Type: text/plain; charset=ISO-8859-1



--047d7b6d96242b814904d5b551d8
Content-Type: text/html; charset=ISO-8859-1

<div dir="ltr"><br></div>

--047d7b6d96242b814904d5b551d8--

From jeanphilippe.aumasson@gmail.com  Ven fÃ©v 15 21:45:24 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19989 invoked by uid 89); 15 Feb 2013 21:45:24 -0000
Received: by simscan 1.4.0 ppid: 19983, pid: 19985, t: 0.2563s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ob0-f178.google.com) (209.85.214.178)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 15 Feb 2013 21:45:23 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.214.178 as permitted sender)
Received: by mail-ob0-f178.google.com with SMTP id wd20so3995931obb.23
        for <discussions@password-hashing.net>; Fri, 15 Feb 2013 13:45:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:from:date:message-id:subject:to
         :content-type;
        bh=4UFX+iEaTE7LsZ7kXfjm21QyrM4CJc4IRotBxKNfntI=;
        b=Jc6twTynnJHW7vnPpTI1os5z9BmTXe1gzUAVGEaoFtAxDGtvlZItfwruEWR/Zk0UrT
         bDFOwj/EcBUoILxxTa2+mFWSrwh6yhesO4fVieXBHvNa/Y8c9D7qdFTcKVw6kH48wjgg
         9GfCFVXwlAxwuz/+Xse6yR9sgOK3hO2idWXAcT4t4+csL47DkcI0R5zu6mtPvKFrAo6S
         9rrdJ8eH1XWq/EHmqy3tUp+6qm3KsEySBXVB77zkEIMf/E6AokfNTYt9MUoVJNGI53JK
         sT3zKUwESzpA26ltG11pfeKTTGck72P3QKCvnRjIdhE2VXec8qegAfJOWPKeBX/mi3xy
         6E7g==
X-Received: by 10.182.160.106 with SMTP id xj10mr2760038obb.98.1360964722391;
 Fri, 15 Feb 2013 13:45:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.172.70 with HTTP; Fri, 15 Feb 2013 13:45:02 -0800 (PST)
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Fri, 15 Feb 2013 22:45:02 +0100
Message-ID: <CAGiyFdcG1_1jLfR4_mi033V1AnL-gVPGeLPW1dkQ5dO731cfqA@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: FAQ

Hi, welcome to our discussions mailing list!

Earlier today we published an FAQ page, with only 1 Q&A so far
(https://password-hashing.net/faq.html). What other questions would
you like to see there?


Thanks!


JP

From jeffrey@goldmark.org  Ven fÃ©v 15 21:56:30 2013 +0000
Return-Path: <jeffrey@goldmark.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20519 invoked by uid 89); 15 Feb 2013 21:56:30 -0000
Received: by simscan 1.4.0 ppid: 20513, pid: 20515, t: 0.3836s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO out1-smtp.messagingengine.com) (66.111.4.25)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Feb 2013 21:56:29 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at goldmark.org designates 66.111.4.25 as permitted sender)
Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 5448C204EC
	for <discussions@password-hashing.net>; Fri, 15 Feb 2013 16:56:28 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute2.internal (MEProxy); Fri, 15 Feb 2013 16:56:28 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=goldmark.org; h=
	from:content-type:content-transfer-encoding:subject:message-id
	:date:to:mime-version; s=mesmtp; bh=9Qnr3LfTKLE93SQMDUnmB5uowO4=; b=
	Y1n0Kplrv1/y/yqwWhK9hcRNL07ElDJnH0HHX7PauA3bEOW/3WGbFnlkLO1Dsk7u
	Mc1ahVQ0Jl2mC28VYfSQDJx89jMAE853dH4y1M5T5I6hNgFy/7qDfK1KLs0ktq4S
	YEXUXQRAvbPXcGq7PmYg057+vWe6fKzKzrBnZA4MpzM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=from:content-type
	:content-transfer-encoding:subject:message-id:date:to
	:mime-version; s=smtpout; bh=9Qnr3LfTKLE93SQMDUnmB5uowO4=; b=A1F
	awNIK6RQgrZn2YOWAIF7TTKNoN4eqdHSZLekBWeCwZuoqszqgc0LHQ3f4+bC69rn
	sNa84CL9iLz1CU76yzV5GigByWuX80H7ahfwaG6bV/hXy6Mz5BXmyw/Q/nGrriiA
	L9ASsXt6Q847oorlc0HB6SIGMbfHOTEsmTUS+/M8=
X-Sasl-enc: 0W4HHrzx/6ws/MPmmJUd+RUPC+78GPZH7tsyozsuObyH 1360965388
Received: from olympe.ewd.goldmark.org (unknown [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTPA id 0382D48257F
	for <discussions@password-hashing.net>; Fri, 15 Feb 2013 16:56:27 -0500 (EST)
From: Jeffrey Goldberg <jeffrey@goldmark.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Message-Id: <26BCC3EF-F3B8-40B4-BCC0-1A0C784202A8@goldmark.org>
Date: Fri, 15 Feb 2013 15:56:25 -0600
To: discussions@password-hashing.net
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Subject: History question

To what extent is it fair to write "the PHC grew out of discussion from =
#passwords12" ?

I'm writing an article for http://blog.agilebits.com that mentions the =
PCH but isn't focusing on it.

Cheers,

-j

=96-=20
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com=

From solar@openwall.com  Ven fÃ©v 15 22:02:42 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20930 invoked by uid 89); 15 Feb 2013 22:02:42 -0000
Received: by simscan 1.4.0 ppid: 20924, pid: 20926, t: 0.3273s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 15 Feb 2013 22:02:42 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 29842 invoked from network); 15 Feb 2013 22:02:41 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 15 Feb 2013 22:02:41 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 19A846FB04; Sat, 16 Feb 2013 02:02:38 +0400 (MSK)
Date: Sat, 16 Feb 2013 02:02:38 +0400
From: Solar Designer <solar@openwall.com>
To: Jeffrey Goldberg <jeffrey@goldmark.org>
Cc: discussions@password-hashing.net
Message-ID: <20130215220238.GA25248@openwall.com>
References: <26BCC3EF-F3B8-40B4-BCC0-1A0C784202A8@goldmark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <26BCC3EF-F3B8-40B4-BCC0-1A0C784202A8@goldmark.org>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] History question

On Fri, Feb 15, 2013 at 03:56:25PM -0600, Jeffrey Goldberg wrote:
> To what extent is it fair to write "the PHC grew out of discussion from #passwords12" ?

Disclaimer: I was not at Passwords^12, at least not physically. ;-)

I think it mostly did not, although Passwords^12 has helped get some of
the panel members involved.

I think JP's interest in running this competition and his prior
experience with the SHA-3 competition played a bigger role.  Without
that, we would probably not be having a competition (although some of us
would probably propose new password hashing schemes in 2013-2015
anyway - just fewer and without this competition process).

Alexander

From ravinwinddce@gmail.com  Ven fÃ©v 15 22:14:21 2013 +0000
Return-Path: <ravinwinddce@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 21419 invoked by uid 89); 15 Feb 2013 22:14:21 -0000
Received: by simscan 1.4.0 ppid: 21413, pid: 21415, t: 0.3409s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-pa0-f54.google.com) (209.85.220.54)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 15 Feb 2013 22:14:21 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.220.54 as permitted sender)
Received: by mail-pa0-f54.google.com with SMTP id fa10so1958179pad.41
        for <discussions@password-hashing.net>; Fri, 15 Feb 2013 14:14:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=l6I5yx9iH8s+47vtNGqQsqcIb1W0Soxa8WeDLe4EHbM=;
        b=ASry1IqRbdeqx3/znDUimF9E/CethLTRhYADpLcV4LHtYE3yFtDLpv49QQLZEfkVSh
         enwhlCgX67DzA9cpGxN/N5/moIhsOnzRgxongnAbrxndX00jTMlwqYDF3oBYHitjufmV
         hZS48BxFV8DdDOku7J9gfcYDc++SSqJJACZLxutqsd6voeTiqk0dmcC9b64qAEFxCkdK
         rC35mXv1R1ObfauP5QLbHWpkmxM8atSEYoy8njIqMqIdjHgSGndikRsX02agSjq8EUUs
         YxFCpJBizNxl09qY347kvJjztYSXXhosDnoE2fdcE/Vyx8o6q86Qjm9rIG3TTaHyvWBJ
         RYQQ==
X-Received: by 10.68.224.199 with SMTP id re7mr9571742pbc.108.1360966458806;
        Fri, 15 Feb 2013 14:14:18 -0800 (PST)
Received: from [192.168.2.100] (c-67-182-173-133.hsd1.ca.comcast.net. [67.182.173.133])
        by mx.google.com with ESMTPS id ri1sm5893383pbc.16.2013.02.15.14.14.17
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Fri, 15 Feb 2013 14:14:18 -0800 (PST)
Message-ID: <511EB339.5060907@gmail.com>
Date: Fri, 15 Feb 2013 14:14:17 -0800
From: ravin wind <ravinwinddce@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <CAGiyFdcG1_1jLfR4_mi033V1AnL-gVPGeLPW1dkQ5dO731cfqA@mail.gmail.com>
In-Reply-To: <CAGiyFdcG1_1jLfR4_mi033V1AnL-gVPGeLPW1dkQ5dO731cfqA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] FAQ

On 02/15/2013 01:45 PM, Jean-Philippe Aumasson wrote:
> Hi, welcome to our discussions mailing list!
>
> Earlier today we published an FAQ page, with only 1 Q&A so far
> (https://password-hashing.net/faq.html). What other questions would
> you like to see there?
>
>
> Thanks!
>
>
> JP

On 02/15/2013 01:45 PM, Jean-Philippe Aumasson wrote:
> Hi, welcome to our discussions mailing list!
>
> Earlier today we published an FAQ page, with only 1 Q&A so far
> (https://password-hashing.net/faq.html). What other questions would
> you like to see there?
>
>
> Thanks!
>
>
> JP
I assume memory-hard problems are in play. Example: SHA-256 hashing and
filling the whole 4GB memory space with PRN to derive the next address
in memory, add a 128-bit salt, repeat hash again, and so on. Thus
overcoming low-memory requirements of PBKDF2 and forcing the use of the
whole memory. Pipelined FPGA, parallel CPUs or GPUs can't then be used. 
Clustering will not work. A Critical-Path is formed due to mixing with
the password key (hashed 44-64 character Yubikey) at each hashing. 
Whole memory space must always be filled to get the next hash correct.
Memory jumps will seem random. Scrypt comes to mind.

From jens.steube@gmail.com  Sam fÃ©v 16 11:22:42 2013 +0000
Return-Path: <jens.steube@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 21806 invoked by uid 89); 16 Feb 2013 11:22:41 -0000
Received: by simscan 1.4.0 ppid: 21800, pid: 21802, t: 0.4152s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-oa0-f47.google.com) (209.85.219.47)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 16 Feb 2013 11:22:41 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.219.47 as permitted sender)
Received: by mail-oa0-f47.google.com with SMTP id o17so4530935oag.20
        for <discussions@password-hashing.net>; Sat, 16 Feb 2013 03:22:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:date:message-id:subject:from:to
         :content-type;
        bh=xUPOfO+2NBuG28t1UUni0WsCDOMdaXXsM6VoW/f9PtI=;
        b=hwnRgHvxkj8z5OkL+W94uP4VFYlKvn4e860L1byvHS+0r9wynon4MM5nlMF5KjCgBS
         aSyFtb6pYZwqJm/u+UlloLT2UDqbBnyVPKXCbpO7WOqlV4t6Nehno141Ei16FBUxwHKa
         1D7U574kxRh7VR2mxEUaHZ99QV5PBBE84Glech8zAXNfL/AZCpFVd2LOiAS5q7cr+Y0/
         VoOmMnRZGNyr0BKBpZHXXbvQ/iZyyGG5reeQHJFoFJkp+hqL5ox9DocHZOFGwV4wwLbo
         gOElTf22ZOlKrzPPte2RZq0rYCYXi1LVrpvfYp5bPC5Owc887zcHzFD9x23l4jBgxJPY
         /uJg==
MIME-Version: 1.0
X-Received: by 10.60.169.237 with SMTP id ah13mr3549462oec.41.1361013759611;
 Sat, 16 Feb 2013 03:22:39 -0800 (PST)
Received: by 10.60.20.167 with HTTP; Sat, 16 Feb 2013 03:22:39 -0800 (PST)
Date: Sat, 16 Feb 2013 12:22:39 +0100
Message-ID: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
From: Jens Steube <jens.steube@gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Different cost settings and optional input

Hey Guys,

even if gat3way's (coder of hashkill) comments were written in a way
so that they sound like a joke they should be taken seriously.

If you missed them, here they are:

> 09:29:30 gat3way | Hey are you sure about that criterion:
> 09:29:32 gat3way | "Ability to transform an existing hash to a different cost setting without knowledge of the password."
> 09:29:52 gat3way | assuming that was possible, it means I can change cost to 1 then attack the hash :)
> 09:39:47 jchillerup | i think it implies transforming it into only *more* expensive versions
> 09:40:02 jchillerup | Otherwise it wouldn't make sense :)

Of course, jchillerup is right. I think we should update the CFS to
make that clear. In a world full of wrong or partially wrong
information troublemaker can simply abuse this lack of clarity to
create an Illusion of a weakness in the PHC hash. Such an Illusion can
easily cost its credibility.

> 09:45:02 gat3way | Is it allowed to rely on a secret parameter other than the password then?
> 09:45:36 gat3way | otherwise I am afraid such requirement would very likely inherently weaken security

I am not sure what his concern is about. I think it is the following:
We allow the use of a "optional input":

> Other optional inputs include local parameters such as a personalization string, a secret key, or any application-specific parameter.

It is possible that a coder who is using the PHC hash in his
applications misuse such an optional parameter intenionally or
unintenionally. For example by storing the entire plaintext or parts
into it. At least we should write a note about not doing that or even
better completly not allow the use of an optional parameter.

--
Jens

From patrick@patrickmn.com  Sam fÃ©v 16 11:31:47 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 22440 invoked by uid 89); 16 Feb 2013 11:31:47 -0000
Received: by simscan 1.4.0 ppid: 22434, pid: 22436, t: 0.3534s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-la0-f50.google.com) (209.85.215.50)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 16 Feb 2013 11:31:46 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.215.50 as permitted sender)
Received: by mail-la0-f50.google.com with SMTP id ec20so4193735lab.37
        for <discussions@password-hashing.net>; Sat, 16 Feb 2013 03:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=ta9kDfKuO9wRq1/OAmZwyE/PkTCrX16SitcNRvV3UBw=;
        b=BSl5lYj8HxAyIzvjMSB55cTZU63tzUxmvgm1/rtT7M1o/0YSkhAnOLLV8lyNFuxouY
         1T+kRZVFVNOK9MOoc9eP81Ev3+8mXStSJfyg1Wqdl+GeM3RqqpFLN/eVNn74T/CKR95u
         z4R/35PnVqz7lpqE3ndx3tfpkfa/vctp9EpSY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=ta9kDfKuO9wRq1/OAmZwyE/PkTCrX16SitcNRvV3UBw=;
        b=pgwVMyCr/MEZ7JctTvDOaxN3QkB37nBXbOf6igtYtvlwy9If0b3PKD5qYBtC1j/pY3
         xmtWlN9NCJGK8B3WV2CKT/FS7GobzSp/jKDOYt0yKE/eujeNbkQvGCZ33BVOPUoWKA5Q
         XSL7dhiqRg6nfS4AEBULMRZkvg7JGK0ELlQVLqOe5mbuNaaZHl/Zx+I+Tsei3q6VSA2A
         JN1QIEH38KW0E+BZWLpXvluEybelaV6JMu79S19kgHUY5MFNkWK1rxGRKheX/mrSfvU7
         FHv94gYsj9OGeTQA16dE3x5YdFx77Dp+/hMXG1LvCRrWH6UeirAOVw00mqIOCxXKJ0ZC
         MmYA==
MIME-Version: 1.0
X-Received: by 10.112.47.168 with SMTP id e8mr3286807lbn.46.1361014306156;
 Sat, 16 Feb 2013 03:31:46 -0800 (PST)
Received: by 10.112.74.162 with HTTP; Sat, 16 Feb 2013 03:31:45 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
Date: Sat, 16 Feb 2013 12:31:45 +0100
Message-ID: <CAEw2jfw0q-1bkZjNja_-Ne4HDJg7Owv5FAuqRyf+Q=LEYm88rg@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: Jens Steube <jens.steube@gmail.com>
Cc: discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=bcaec553fde040b20304d5d5d6d3
X-Gm-Message-State: ALoCoQnjJVAMOPH0/qO33o9g947p4sjxp5FfYoH8zFFskHGesaWe8CT4wwASTyctriTd40lttERn
Subject: Re: [PHC] Different cost settings and optional input

--bcaec553fde040b20304d5d5d6d3
Content-Type: text/plain; charset=UTF-8

Agree on the first point. On the second point, I think he is suggesting
that you would have to save some of the initial input, but there is no
reason that you wouldn't be able to apply the hypothetical construction to
its own output to increase the required work per verification (similar to
how some developers are currently upgrading MD5(pwd) to bcrypt(MD5(pwd)) to
increase cost without requiring users to log in.)


On Sat, Feb 16, 2013 at 12:22 PM, Jens Steube <jens.steube@gmail.com> wrote:

> Hey Guys,
>
> even if gat3way's (coder of hashkill) comments were written in a way
> so that they sound like a joke they should be taken seriously.
>
> If you missed them, here they are:
>
> > 09:29:30 gat3way | Hey are you sure about that criterion:
> > 09:29:32 gat3way | "Ability to transform an existing hash to a different
> cost setting without knowledge of the password."
> > 09:29:52 gat3way | assuming that was possible, it means I can change
> cost to 1 then attack the hash :)
> > 09:39:47 jchillerup | i think it implies transforming it into only
> *more* expensive versions
> > 09:40:02 jchillerup | Otherwise it wouldn't make sense :)
>
> Of course, jchillerup is right. I think we should update the CFS to
> make that clear. In a world full of wrong or partially wrong
> information troublemaker can simply abuse this lack of clarity to
> create an Illusion of a weakness in the PHC hash. Such an Illusion can
> easily cost its credibility.
>
> > 09:45:02 gat3way | Is it allowed to rely on a secret parameter other
> than the password then?
> > 09:45:36 gat3way | otherwise I am afraid such requirement would very
> likely inherently weaken security
>
> I am not sure what his concern is about. I think it is the following:
> We allow the use of a "optional input":
>
> > Other optional inputs include local parameters such as a personalization
> string, a secret key, or any application-specific parameter.
>
> It is possible that a coder who is using the PHC hash in his
> applications misuse such an optional parameter intenionally or
> unintenionally. For example by storing the entire plaintext or parts
> into it. At least we should write a note about not doing that or even
> better completly not allow the use of an optional parameter.
>
> --
> Jens
>

--bcaec553fde040b20304d5d5d6d3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div style>Agree on the first point. On the second point, =
I think he is suggesting that you would have to save some of the initial in=
put, but there is no reason that you wouldn&#39;t be able to apply the hypo=
thetical construction to its own output to increase the required work per v=
erification (similar to how some developers are currently upgrading MD5(pwd=
) to bcrypt(MD5(pwd)) to increase cost without requiring users to log in.)<=
/div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Sat,=
 Feb 16, 2013 at 12:22 PM, Jens Steube <span dir=3D"ltr">&lt;<a href=3D"mai=
lto:jens.steube@gmail.com" target=3D"_blank">jens.steube@gmail.com</a>&gt;<=
/span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hey Guys,<br>
<br>
even if gat3way&#39;s (coder of hashkill) comments were written in a way<br=
>
so that they sound like a joke they should be taken seriously.<br>
<br>
If you missed them, here they are:<br>
<br>
&gt; 09:29:30 gat3way | Hey are you sure about that criterion:<br>
&gt; 09:29:32 gat3way | &quot;Ability to transform an existing hash to a di=
fferent cost setting without knowledge of the password.&quot;<br>
&gt; 09:29:52 gat3way | assuming that was possible, it means I can change c=
ost to 1 then attack the hash :)<br>
&gt; 09:39:47 jchillerup | i think it implies transforming it into only *mo=
re* expensive versions<br>
&gt; 09:40:02 jchillerup | Otherwise it wouldn&#39;t make sense :)<br>
<br>
Of course, jchillerup is right. I think we should update the CFS to<br>
make that clear. In a world full of wrong or partially wrong<br>
information troublemaker can simply abuse this lack of clarity to<br>
create an Illusion of a weakness in the PHC hash. Such an Illusion can<br>
easily cost its credibility.<br>
<br>
&gt; 09:45:02 gat3way | Is it allowed to rely on a secret parameter other t=
han the password then?<br>
&gt; 09:45:36 gat3way | otherwise I am afraid such requirement would very l=
ikely inherently weaken security<br>
<br>
I am not sure what his concern is about. I think it is the following:<br>
We allow the use of a &quot;optional input&quot;:<br>
<br>
&gt; Other optional inputs include local parameters such as a personalizati=
on string, a secret key, or any application-specific parameter.<br>
<br>
It is possible that a coder who is using the PHC hash in his<br>
applications misuse such an optional parameter intenionally or<br>
unintenionally. For example by storing the entire plaintext or parts<br>
into it. At least we should write a note about not doing that or even<br>
better completly not allow the use of an optional parameter.<br>
<br>
--<br>
Jens<br>
</blockquote></div><br></div>

--bcaec553fde040b20304d5d5d6d3--

From jenschristian@gmail.com  Sam fÃ©v 16 11:43:58 2013 +0000
Return-Path: <jenschristian@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 22866 invoked by uid 89); 16 Feb 2013 11:43:58 -0000
Received: by simscan 1.4.0 ppid: 22860, pid: 22862, t: 0.2762s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-qe0-f53.google.com) (209.85.128.53)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 16 Feb 2013 11:43:58 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.53 as permitted sender)
Received: by mail-qe0-f53.google.com with SMTP id 1so1803213qee.40
        for <discussions@password-hashing.net>; Sat, 16 Feb 2013 03:43:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=16f7l6Lvqs0r3Tfk6crKQBKrAcp9MK8IwzHUS/uIwmU=;
        b=rEv9PaCSXCbzP5zYuMj6dlz7laQcowWIbCnCf8b4tTOOp62yaO1Ap+eTe+IyqzLgOg
         DbnNmAvg+okWD0JuLKSKsNeFSzrc01jyScp3qaFyYJCH4LQ/SG1bnn+4dHJQyib1fsXS
         0z3oG2bolnwYV6ttDdz/RZ/c/LBNG07jWx+EVNsvF2/GOOQsTEF9LGR6dMM9oRMe9zCa
         +4RMxFhtyMXQ715SgWy4LNKTziE2hHwKX0q5RONiprMr567gt7TuqwSDpoc7Sb1SCKht
         JhhLU7oH8JdM5U413WwqovAVyv1r9OK0unYJ/s+VzwvnyMD27MFTChWi9m4xlfeSjv1u
         9NrA==
X-Received: by 10.229.252.208 with SMTP id mx16mr443971qcb.37.1361015037033;
 Sat, 16 Feb 2013 03:43:57 -0800 (PST)
MIME-Version: 1.0
Sender: jenschristian@gmail.com
Received: by 10.49.117.201 with HTTP; Sat, 16 Feb 2013 03:43:36 -0800 (PST)
In-Reply-To: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
From: Jens Christian Hillerup <jens@hillerup.net>
Date: Sat, 16 Feb 2013 12:43:36 +0100
X-Google-Sender-Auth: cjLk1ChmYto7DmtTMVnsAXKFJho
Message-ID: <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
To: Jens Steube <jens.steube@gmail.com>
Cc: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Different cost settings and optional input

On Sat, Feb 16, 2013 at 12:22 PM, Jens Steube <jens.steube@gmail.com> wrote:
> Of course, jchillerup is right. I think we should update the CFS to
> make that clear. In a world full of wrong or partially wrong
> information troublemaker can simply abuse this lack of clarity to
> create an Illusion of a weakness in the PHC hash. Such an Illusion can
> easily cost its credibility.
>
>> 09:45:02 gat3way | Is it allowed to rely on a secret parameter other than the password then?
>> 09:45:36 gat3way | otherwise I am afraid such requirement would very likely inherently weaken security
>
> I am not sure what his concern is about. I think it is the following:
> We allow the use of a "optional input":

(I'm jchillerup from the previous IRC discussion - hi)

I also had some doubts when I read that. Given two hashes, it'd be
trivial to determine if they share a preimage; just, in parallel,
increase the work for both of them by 1 until you see a hash you've
seen before in the chain (hit), or you've increased-by-one for too
long (miss).

However, this attack is not that important I'd argue, because if two
equal passwords *exist* it is likely that that password is in some
dictionary anyway, or that they originate from the same person. For
the former case the attacker could perform a dictionary attack on the
variant that requires lesser work. But hopefully the final PHC
candidate will require too much work for dictionary attacks, even at
its lightest setting. For the latter case the attacker would know that
the two passwords are equal, and not a lot more than that.

JC

From patrick@patrickmn.com  Sam fÃ©v 16 11:54:29 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 23402 invoked by uid 89); 16 Feb 2013 11:54:29 -0000
Received: by simscan 1.4.0 ppid: 23396, pid: 23398, t: 0.2753s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-la0-f51.google.com) (209.85.215.51)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 16 Feb 2013 11:54:29 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.215.51 as permitted sender)
Received: by mail-la0-f51.google.com with SMTP id fo13so4225459lab.38
        for <discussions@password-hashing.net>; Sat, 16 Feb 2013 03:54:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=QIFWyGShEZXcVEwTsSn6VmpigHnMkZF7ihKruOnTn78=;
        b=h3GYijEtK+WymaHTB+S22bkieB+pphORPYToGe5u0yqARv/LQJr8s5t0jOSUmjccu5
         JN0mvHTEwW0hIafKmlmeqi3s9CgxLS3sowrMJve0ELRr1LtxeJuaIqnlueuWM9b8945s
         MHOPPuMpY4S4tmoJBy6dVkVCwRZr5YHado4sI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=QIFWyGShEZXcVEwTsSn6VmpigHnMkZF7ihKruOnTn78=;
        b=KfYOAWVN3MPYcGOqGpI8KHceNQCmBnZ3G1TnHUrN1ipRbJsyzE52loaD1j+Cgp4hah
         Mci7f3ACqIB92BXjl2ZeQEMIF++mbkSHodM/3bVw+UcTRW9N5c2hoGyWVqQkjcZdN0vv
         Tqe+cbfPiCAH/ykqKvGOLbOtwcfSgAQfzq1PdwkE01LR9urdcsM8C7LBU6T1zLtJ9wdl
         CVN0v0KZQjRY5yt1BiANOqPktkwNZmMa0fE9wz9AB80UbsED6WmjSJ1WP29n9kwbnRkl
         dRspwa+eSkj4Gq9mvJkVdQBdW/src/9nuBhxvpMAo7TXlFkXbdDF36tNzGvjTEWoSUwQ
         lQ7g==
MIME-Version: 1.0
X-Received: by 10.112.41.101 with SMTP id e5mr3174925lbl.120.1361015668426;
 Sat, 16 Feb 2013 03:54:28 -0800 (PST)
Received: by 10.112.74.162 with HTTP; Sat, 16 Feb 2013 03:54:28 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
	<CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
Date: Sat, 16 Feb 2013 12:54:28 +0100
Message-ID: <CAEw2jfzDh6d61PTMp3U2YqiBvYbuRA=skQGazsJuYJ7SWFS6CQ@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: Jens Christian Hillerup <jens@hillerup.net>
Cc: Jens Steube <jens.steube@gmail.com>, discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=e0cb4efe2f9c73480204d5d627ae
X-Gm-Message-State: ALoCoQnFYQEjN7vCHOX3/ceOpP2etU8dex/Kpq3ojv4hsTQiHEW4jIFQmJlnVdGor5MsXyIxQl0T
Subject: Re: [PHC] Different cost settings and optional input

--e0cb4efe2f9c73480204d5d627ae
Content-Type: text/plain; charset=UTF-8

A non-secret parameter (salt) would presumably solve that problem.


On Sat, Feb 16, 2013 at 12:43 PM, Jens Christian Hillerup <jens@hillerup.net
> wrote:

> On Sat, Feb 16, 2013 at 12:22 PM, Jens Steube <jens.steube@gmail.com>
> wrote:
> > Of course, jchillerup is right. I think we should update the CFS to
> > make that clear. In a world full of wrong or partially wrong
> > information troublemaker can simply abuse this lack of clarity to
> > create an Illusion of a weakness in the PHC hash. Such an Illusion can
> > easily cost its credibility.
> >
> >> 09:45:02 gat3way | Is it allowed to rely on a secret parameter other
> than the password then?
> >> 09:45:36 gat3way | otherwise I am afraid such requirement would very
> likely inherently weaken security
> >
> > I am not sure what his concern is about. I think it is the following:
> > We allow the use of a "optional input":
>
> (I'm jchillerup from the previous IRC discussion - hi)
>
> I also had some doubts when I read that. Given two hashes, it'd be
> trivial to determine if they share a preimage; just, in parallel,
> increase the work for both of them by 1 until you see a hash you've
> seen before in the chain (hit), or you've increased-by-one for too
> long (miss).
>
> However, this attack is not that important I'd argue, because if two
> equal passwords *exist* it is likely that that password is in some
> dictionary anyway, or that they originate from the same person. For
> the former case the attacker could perform a dictionary attack on the
> variant that requires lesser work. But hopefully the final PHC
> candidate will require too much work for dictionary attacks, even at
> its lightest setting. For the latter case the attacker would know that
> the two passwords are equal, and not a lot more than that.
>
> JC
>

--e0cb4efe2f9c73480204d5d627ae
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">A non-secret parameter (salt) would presumably solve that =
problem.</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote"=
>On Sat, Feb 16, 2013 at 12:43 PM, Jens Christian Hillerup <span dir=3D"ltr=
">&lt;<a href=3D"mailto:jens@hillerup.net" target=3D"_blank">jens@hillerup.=
net</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Sat, Feb 16, 2013 at 12=
:22 PM, Jens Steube &lt;<a href=3D"mailto:jens.steube@gmail.com">jens.steub=
e@gmail.com</a>&gt; wrote:<br>

</div><div class=3D"im">&gt; Of course, jchillerup is right. I think we sho=
uld update the CFS to<br>
&gt; make that clear. In a world full of wrong or partially wrong<br>
&gt; information troublemaker can simply abuse this lack of clarity to<br>
&gt; create an Illusion of a weakness in the PHC hash. Such an Illusion can=
<br>
&gt; easily cost its credibility.<br>
&gt;<br>
&gt;&gt; 09:45:02 gat3way | Is it allowed to rely on a secret parameter oth=
er than the password then?<br>
&gt;&gt; 09:45:36 gat3way | otherwise I am afraid such requirement would ve=
ry likely inherently weaken security<br>
&gt;<br>
&gt; I am not sure what his concern is about. I think it is the following:<=
br>
&gt; We allow the use of a &quot;optional input&quot;:<br>
<br>
</div>(I&#39;m jchillerup from the previous IRC discussion - hi)<br>
<br>
I also had some doubts when I read that. Given two hashes, it&#39;d be<br>
trivial to determine if they share a preimage; just, in parallel,<br>
increase the work for both of them by 1 until you see a hash you&#39;ve<br>
seen before in the chain (hit), or you&#39;ve increased-by-one for too<br>
long (miss).<br>
<br>
However, this attack is not that important I&#39;d argue, because if two<br=
>
equal passwords *exist* it is likely that that password is in some<br>
dictionary anyway, or that they originate from the same person. For<br>
the former case the attacker could perform a dictionary attack on the<br>
variant that requires lesser work. But hopefully the final PHC<br>
candidate will require too much work for dictionary attacks, even at<br>
its lightest setting. For the latter case the attacker would know that<br>
the two passwords are equal, and not a lot more than that.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
JC<br>
</font></span></blockquote></div><br></div>

--e0cb4efe2f9c73480204d5d627ae--

From solar@openwall.com  Sam fÃ©v 16 14:24:24 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 29525 invoked by uid 89); 16 Feb 2013 14:24:24 -0000
Received: by simscan 1.4.0 ppid: 29519, pid: 29521, t: 0.9415s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 16 Feb 2013 14:24:23 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 23653 invoked from network); 16 Feb 2013 14:24:21 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2013 14:24:21 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 02B2A6FB04; Sat, 16 Feb 2013 18:24:15 +0400 (MSK)
Date: Sat, 16 Feb 2013 18:24:15 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Cc: Milen Rangelov <gat3way@gmail.com>
Message-ID: <20130216142415.GA29200@openwall.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Different cost settings and optional input

Milen - I don't know if you have joined us on the discussions list or
not yet, so I am CC'ing you just in case.  Please join us! :-)

On Sat, Feb 16, 2013 at 12:22:39PM +0100, Jens Steube wrote:
> > 09:29:30 gat3way | Hey are you sure about that criterion:
> > 09:29:32 gat3way | "Ability to transform an existing hash to a different cost setting without knowledge of the password."
> > 09:29:52 gat3way | assuming that was possible, it means I can change cost to 1 then attack the hash :)
> > 09:39:47 jchillerup | i think it implies transforming it into only *more* expensive versions
> > 09:40:02 jchillerup | Otherwise it wouldn't make sense :)
> 
> Of course, jchillerup is right. I think we should update the CFS to
> make that clear.

I noticed this curious wording too (in one of the drafts), but I did not
object to it because:

1. We specify nearby that we'll evaluate "Effectiveness of the cost
parameter (e.g. can the time and space expected requirements be
bypassed?)"  Thus, password hashing schemes that allow for cost
downgrades are discouraged.

2. There may be time-memory trade-offs.  If someone clever comes up with
a password hashing scheme where an existing hash may be transformed to a
higher CPU cost but lower memory cost, or vice versa, without knowledge
of the password - this may be fine, as long as this property is known
and considered in the evaluation.  A password hashing scheme should not
be automatically disqualified, nor necessarily discouraged, just for
possessing this property.  In some cases, this property may be useful.

Note that this potentially differs from scrypt's TMTO.  In scrypt, the
TMTO is available for each individual scrypt computation, without having
to do any precomputation (transforming the stored hash).  In #2 above, I
am referring to a broader class of possible TMTOs, including those that
may require significant amount of precomputation (just not knowledge or
cracking of the actual password).

In other words, I did not object because I did not want us to throw the
potential baby out with the water.  I also did not explain this until
now, though - perhaps I should have. :-)

And maybe we should revise the wording somehow... or link to this sort
of explanation, which we'd put somewhere (near the end of the FAQ, as
perhaps this is not a very frequent question, yet it may come up more
than once?)

As to TMTOs in general, there are some pros and cons to having and not
having them in a password hashing scheme.  (In fact, "not having" only
means that the TMTOs are such that they're not lucrative for almost any
attacker.  Not that they literally don't exist.)  I expect that some of
the submissions of sequential memory-hard schemes will (deliberately?)
allow for TMTOs, some will (deliberately?) defeat TMTOs, and some will
have a Boolean parameter controlling that.  All of these are welcome.

Alexander

From Jeffrey@goldmark.org  Sam fÃ©v 16 15:47:23 2013 +0000
Return-Path: <Jeffrey@goldmark.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 405 invoked by uid 89); 16 Feb 2013 15:47:22 -0000
Received: by simscan 1.4.0 ppid: 399, pid: 401, t: 0.5511s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO out1-smtp.messagingengine.com) (66.111.4.25)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Feb 2013 15:47:22 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at goldmark.org designates 66.111.4.25 as permitted sender)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 2D1FD20978
	for <discussions@password-hashing.net>; Sat, 16 Feb 2013 10:47:20 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute1.internal (MEProxy); Sat, 16 Feb 2013 10:47:20 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=goldmark.org; h=
	from:content-type:message-id:mime-version:subject:date
	:references:to:in-reply-to; s=mesmtp; bh=7K/7amQEcl8CxjAVy5F/f1Q
	CFpk=; b=sDijbZFmDt55Tckye+c+tcRID0wCiP6R/N7pIPMXpJaefdC9ZMGvCPo
	d53jr3XPLjVFpAyMd6v8VUgFliZhxf/NosBX9l/NFyKghdpaI3XaxlE4F6RH+j2S
	S4AIxDiPnUYHJh28w2kFvWd3ef7Eku841xvNHWbUaqurC3KKC9rk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=from:content-type:message-id:mime-version
	:subject:date:references:to:in-reply-to; s=smtpout; bh=7K/7amQEc
	l8CxjAVy5F/f1QCFpk=; b=Y6kYSFn7RiWUtNvHSnC9OBsfSAljpls8RLbCYlUij
	tJsVzHCXg01UxfkQyAY/nZijDYQJz24hjSU6E8eICgVt/vgIc5vLIt9PUqnWAWqe
	N/gj350XNOJVtdvvp74IfZQboDrqQhocGVq2SPN2lj/TVydvMcMr6LSj47GRkImZ
	xA=
X-Sasl-enc: uV/ao0rUlpOiwQeWmEyUWpsuezh8IFDW20Ko5ziNu63E 1361029639
Received: from [10.137.0.26] (unknown [23.20.101.138])
	by mail.messagingengine.com (Postfix) with ESMTPA id 9C0F5482624
	for <discussions@password-hashing.net>; Sat, 16 Feb 2013 10:47:19 -0500 (EST)
From: Jeffrey Goldberg <Jeffrey@goldmark.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_0EA9298F-527A-4BEA-BF13-FB98241154DA"; protocol="application/pkcs7-signature"; micalg=sha1
Message-Id: <3E7CF095-C2A0-475A-805A-52DAACDA88E5@goldmark.org>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Date: Sat, 16 Feb 2013 09:47:18 -0600
References: <26BCC3EF-F3B8-40B4-BCC0-1A0C784202A8@goldmark.org>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
In-Reply-To: <26BCC3EF-F3B8-40B4-BCC0-1A0C784202A8@goldmark.org>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Answered: History question


--Apple-Mail=_0EA9298F-527A-4BEA-BF13-FB98241154DA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

On Feb 15, 2013, at 3:56 PM, Jeffrey Goldberg <jeffrey@goldmark.org> =
wrote:

> To what extent is it fair to write "the PHC grew out of discussion =
from #passwords12" ?

Thank you everyone who responded.  The answer is that PHC did not evolve =
out of discussion at #passwords12.

I''m glad I asked.

Cheers,

-j


--Apple-Mail=_0EA9298F-527A-4BEA-BF13-FB98241154DA
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMYDCCBWow
ggRSoAMCAQICEAUsQ0Zoth21zr3tmEkHHA8wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg
KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMzAxMDEwMDAwMDBaFw0x
NDAxMDIyMzU5NTlaMIIBFzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S
UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh
bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2
aWNlMRkwFwYDVQQDFBBKZWZmcmV5IEdvbGRiZXJnMSMwIQYJKoZIhvcNAQkBFhRqZWZmcmV5QGdv
bGRtYXJrLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvq3f2egwTyS3lokjD7
i8R3AXPFw+qPHbIhrmoAenCnG02a1zbgEdLSJm+JM9uawV9KnkBES3fix+bX4R/1sf9LS0NGbfGD
sh+zLoKwUrkJdyUJOGwiCy2IKoWNEXEKKxxfqzicVZV21gbq+ae3eftCbEd8jNHplIBbXHufdCIE
3qK6wAybuhmz8oY3SieJ0GkE1Tk+nY2Vjq6DkR03lhQaBmVUPXIQoMZapvvPslwI6brIfnGCPxq+
JuIfTxgT9Ov9Ta1C3j/7ZojPu/SElFo5Y7gKOyFvTOoTCXPmx/lPfxlxT0ltbTefOy7bPkxJS/W5
h6CS3TwjYFj0Fw7MnXMCAwEAAaOB6DCB5TAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4
RQEHFwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTALBgNVHQ8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMBQGCmCGSAGG+EUBBgcEBhYETm9u
ZTBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vaW5kYzFkaWdpdGFsaWQtZzMtY3JsLnZlcmlzaWdu
LmNvbS9JbmRDMURpZ2l0YWxJRC1HMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAL5teo2eDuKR9nvw
HwnUNxMtgydljXGSQLiJIpzzAJAeN+cjmuwTy3i4RKZNJD8y6evsiW1Xofg+yKCJ+/S2dTHaUgmv
EAPzUIVaJsMJsqpChZyYPE8d45FSlq3jMLvgOCgq1Qqww3JrUE9wV0SVCymDAnl20nZwz3/S6VW7
mMvl9JWnesngfxjhdC3ack+82L/qIEMoHlm0CR1qvFb0gxBX5GAQuaRnZPv/BX/zmHoixnnSI7nc
wv+6rdwAEogFgcFIsuSwjnx6FEKb6nXQ6JWhN/1A1uXWzgAnjt7413eiAEyrujZDXtqGQK88yJh6
+Fn65Jn4B87PL+crC53oe+8wggbuMIIF1qADAgECAhBxFWYFSuSRIU3pvET5rNPcMA0GCSqGSIb3
DQEBBQUAMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsT
FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMu
IC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzAeFw0wOTA1MDEwMDAwMDBa
Fw0xOTA0MzAyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x
HzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBh
dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA5MR4wHAYDVQQLExVQZXJzb25hIE5v
dCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlZlcmlTaWduIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3Jp
YmVyIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtxEffKigdfAZru9ch
MslsE4/psY1BTjT32gvjavpliCALERPpm+BJTotv1QHQXw1HkYpaTHQ+P8aRCbtMNJ6NbqGCUWL3
aXZYlgevnhQYB09avZ/SMbJUGXNGahlCEewScyGN9dwwzeXZVgoxxTZtKRSXvS3aiUcZiNhLBD3r
tjxnHnQAEw3QhtqTZ/gzA64aPGtpePbALI7hgz93+Zn//p9SWsK0hwrYbKlHwVQpZUM+SsCWH8Gt
93evbLEEXr7BtpQtl5AtJ9K7HumDaoT2xLKuIwZlJqUnWCsHIrRvpmJIGnfy1VAnminTlvso9bok
dmLjjFnr+27VQsS+Qcf1AgMBAAGjggK5MIICtTA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcw
ZQYLYIZIAYb4RQEHFwEwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTEtZzMuY3JsMA4GA1UdDwEB/wQEAwIB
BjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7ko
lgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYw
LgYDVR0RBCcwJaQjMCExHzAdBgNVBAMTFlByaXZhdGVMYWJlbDQtMjA0OC0xMTgwHQYDVR0OBBYE
FHlHYQhB/TgEokvntcz1Q/ZJKxH4MIHxBgNVHSMEgekwgeahgdCkgc0wgcoxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ug
b25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eSAtIEczghEAi1t1VoRUhQsAz684SM6xpDANBgkqhkiG9w0BAQUFAAOCAQEA
OU3PQZmBtakFtVI46TmEiWzkNKha59hsCUwkGrpZpIc7cyHxk4HPv2hjWmf+NYUrocNdo0rCOhnd
MNbMTe/x0oGXylRaQ783i3qOGY0PQ6iM8q9gsxWKs5WcPOCesyeYpDVyF+X8Kl2H04oNwtFFKvjA
9KwqkzrVrhJwCOv7O+J37OgrZDV2zbra4NHLFNZxWJu+1T59ttnoJMUkZkxdkR92sxc+fw3GIYkv
sze4of9csm1J3mVSQvsOiNLtSh2/S+P4zHL6SA5ljknI1viZmDu3lD4xcQaH+mxZUy7X3yvtX2MA
rBXtA7hVFozGaAPnIqhzC7G8oNpSWN0KDn/BgjGCBIswggSHAgEBMIHyMIHdMQswCQYDVQQGEwJV
UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBh
IChjKTA5MR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlZlcmlTaWdu
IENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzMCEAUsQ0Zoth21zr3tmEkHHA8w
CQYFKw4DAhoFAKCCAm0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTMwMjE2MTU0NzE5WjAjBgkqhkiG9w0BCQQxFgQU2uzAhA9neifcnAVCxItXh4+kYGwwggEDBgkr
BgEEAYI3EAQxgfUwgfIwgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0
IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90
IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmli
ZXIgQ0EgLSBHMwIQBSxDRmi2HbXOve2YSQccDzCCAQUGCyqGSIb3DQEJEAILMYH1oIHyMIHdMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2ln
bi5jb20vcnBhIChjKTA5MR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMT
LlZlcmlTaWduIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzMCEAUsQ0Zoth21
zr3tmEkHHA8wDQYJKoZIhvcNAQEBBQAEggEAiRL3E7NOe71tpKuX2IiMrE2mepx/xW3iaqxtGbVP
W47d88t27ihum6gfxSnr2YygaUl71RlNJBh9bF3hsqqLByCXFMXV7mZj2UXX4lyAgkIoTDp7i1Hk
cUa+/WGCwP5N2vAZI4wA+IRalzZ/2C2Fx5o7uavHRpE7SvIvP70VxUaBcaYhUMwC1z4HePdbv3Xi
KHYzyf6fGpc2opCzH7Dwz+ttYsQcvqPiWxs/cAgxqfBtv8pfjG5m8Q4O1CK8WI5e1toL3I99iuRC
KS9XhSxLcUm4UjGyo/bE0vOQg7SbYTvTOWpJ/5F/hkD7cjLB3DUy88mwJvORgDG0oz35Fl4cDQAA
AAAAAA==

--Apple-Mail=_0EA9298F-527A-4BEA-BF13-FB98241154DA--

From Jeffrey@goldmark.org  Sam fÃ©v 16 15:59:43 2013 +0000
Return-Path: <Jeffrey@goldmark.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 849 invoked by uid 89); 16 Feb 2013 15:59:42 -0000
Received: by simscan 1.4.0 ppid: 843, pid: 845, t: 0.3150s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO out1-smtp.messagingengine.com) (66.111.4.25)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Feb 2013 15:59:42 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at goldmark.org designates 66.111.4.25 as permitted sender)
Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 8320D20951
	for <discussions@password-hashing.net>; Sat, 16 Feb 2013 10:59:41 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute6.internal (MEProxy); Sat, 16 Feb 2013 10:59:41 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=goldmark.org; h=
	from:content-type:content-transfer-encoding:subject:message-id
	:date:to:mime-version; s=mesmtp; bh=r1End51q62ljpjjYtcMkUmeVGmc=; b=
	nTNxmAA4+Kq8SlVd512RV7XrByHJ+aQkS/WACmoZIE2Fvmo77Cyli8YaB27kBdwH
	3sok5hLSp1/0fLNtrOJ0M1qD/vYLL8TApG7RN4aVWm1+w24DySucc7zNweGonEhF
	BYj3drd0i7GKxFHcOIm5UxMjBGFNMAdUTyljtKVaeQo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=from:content-type
	:content-transfer-encoding:subject:message-id:date:to
	:mime-version; s=smtpout; bh=r1End51q62ljpjjYtcMkUmeVGmc=; b=YUe
	joKGu53+RqNsKQ5YMTaz3mJPeDbwAol20vkuy8CGFnjQ9Cf8gwnVFc6ZqoRX+jfI
	IgZ6lCVOI31dJbpcNQ2Rrq5yh2DoXnfetzYTupMWzUoODb+UAoJKVNkIr3LRX7fX
	iaOR6B54jTA18e3D25DRbEk6VH66uJK1AZcxt+h8=
X-Sasl-enc: p0vzJzAi+w9VoV4IvT0xwpIdCqtpkS8jLAtWYzCYfOer 1361030381
Received: from [10.137.0.26] (unknown [23.20.101.138])
	by mail.messagingengine.com (Postfix) with ESMTPA id 1009A482505
	for <discussions@password-hashing.net>; Sat, 16 Feb 2013 10:59:40 -0500 (EST)
From: Jeffrey Goldberg <Jeffrey@goldmark.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
Date: Sat, 16 Feb 2013 09:59:39 -0600
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Subject: Any "large verifiers" on the panel?

I'm not familiar with everyone on the panel, but I think it would be =
useful to have someone with an understanding of having to deal with a =
large number of legitimate authentication sessions.  Someone who, say, =
manages Gmail logins (IMAP, web, etc) may have insight into what sorts =
of cost parameters they would like to have.

Basically, it would be really sucky to settle upon a winner and then =
have sites and services say, "we won't use that because we can't manage =
our verification costs the way we need to."

Cheers,

-j


From maray@microsoft.com  Sam fÃ©v 16 22:29:46 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 15377 invoked by uid 89); 16 Feb 2013 22:29:46 -0000
Received: by simscan 1.4.0 ppid: 15370, pid: 15373, t: 0.7775s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-by2-obe.outbound.protection.outlook.com) (unknown@207.46.100.24)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 16 Feb 2013 22:29:45 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfa.frontbridge.com designates 207.46.100.24 as permitted sender)
Received: from BY2FFO11FD010.protection.gbl (10.1.15.204) by
 BY2FFO11HUB005.protection.gbl (10.1.14.163) with Microsoft SMTP Server (TLS)
 id 15.0.620.12; Sat, 16 Feb 2013 22:29:41 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by
 BY2FFO11FD010.mail.protection.outlook.com (10.1.14.74) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sat, 16 Feb 2013 22:29:40
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id
 14.02.0318.003; Sat, 16 Feb 2013 22:29:37 +0000
From: Marsh Ray <maray@microsoft.com>
To: Solar Designer <solar@openwall.com>, "discussions@password-hashing.net"
	<discussions@password-hashing.net>
CC: Milen Rangelov <gat3way@gmail.com>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8iiiAgAB4JSA=
Date: Sat, 16 Feb 2013 22:29:37 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09036F25@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <20130216142415.GA29200@openwall.com>
In-Reply-To: <20130216142415.GA29200@openwall.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(51704002)(199002)(189002)(13464002)(79102001)(66066001)(551544001)(65816001)(56816002)(33656001)(59766001)(80022001)(23726001)(50466001)(51856001)(77982001)(74662001)(44976002)(31966008)(74502001)(47446002)(55846006)(20776003)(47976001)(16406001)(54316002)(76482001)(49866001)(46406002)(4396001)(46102001)(53806001)(56776001)(63696002)(47776003)(47736001)(5343655001)(50986001)(54356001);DIR:OUT;SFP:;SCL:1;SRVR:BY2FFO11HUB005;H:TK5EX14HUBC101.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0759F7A50A
Subject: RE: [PHC] Different cost settings and optional input

> -----Original Message-----
> From: Solar Designer [mailto:solar@openwall.com]
>=20
> 1. We specify nearby that we'll evaluate "Effectiveness of the cost param=
eter
> (e.g. can the time and space expected requirements be bypassed?)"  Thus,
> password hashing schemes that allow for cost downgrades are discouraged.

I've heard of people using password hashing schemes that attempt to add enc=
rypted elements or other secrecy for the resulting hash values. One popular=
 formulation is to keep the salt secret and treat it as a per-hash key. Thi=
s is usually done by folks coming from a SQL database background who are lo=
oking at defending against pure SQLi attacks.

Some schemes allow the defender to increase the work factor by adding more =
iterations. Of course, if he fails to destroy the old hashes before the att=
acker obtains them, he's only increased the work for himself. I have also h=
eard of people (I think in a discussion on Hacker News) building trapdoors =
into their hash functions such that the knowledge of a secret key (say, kep=
t in an HSM) could be used to reduce the work factor for the defender.

I don't think any features which could be added with simple encryption or k=
eeping multiple hashes around should be considered part of the PHC itself. =
I don't see these features have general utility, unless it proves truly pop=
ular enough to benefit from standardization.

> 2. There may be time-memory trade-offs.  If someone clever comes up with
> a password hashing scheme where an existing hash may be transformed to a
> higher CPU cost but lower memory cost, or vice versa, without knowledge o=
f
> the password - this may be fine, as long as this property is known and
> considered in the evaluation.  A password hashing scheme should not be
> automatically disqualified, nor necessarily discouraged, just for possess=
ing
> this property.  In some cases, this property may be useful.

> And maybe we should revise the wording somehow... or link to this sort of
> explanation, which we'd put somewhere (near the end of the FAQ, as
> perhaps this is not a very frequent question, yet it may come up more tha=
n
> once?)

We will likely see submissions with these features and should probably have=
 a plan in advance as to whether or not they will be considered beneficial.=
 Unfortunately, if we award any points for such flexibility then probably t=
he serious entrants will feel compelled to add them.

> As to TMTOs in general, there are some pros and cons to having and not
> having them in a password hashing scheme.  (In fact, "not having" only
> means that the TMTOs are such that they're not lucrative for almost any
> attacker.  Not that they literally don't exist.)  I expect that some of t=
he
> submissions of sequential memory-hard schemes will (deliberately?) allow
> for TMTOs, some will (deliberately?) defeat TMTOs, and some will have a
> Boolean parameter controlling that.  All of these are welcome.

It's really interesting stuff. Still, I'm inclined to discourage giving the=
 developer lots of knobs to turn. Some have had trouble with a simple itera=
tion count: https://en.wikipedia.org/wiki/PBKDF2#BlackBerry_vulnerability

- Marsh


From maray@microsoft.com  Sam fÃ©v 16 22:51:35 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 16248 invoked by uid 89); 16 Feb 2013 22:51:34 -0000
Received: by simscan 1.4.0 ppid: 16242, pid: 16244, t: 0.4805s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-by2-obe.outbound.protection.outlook.com) (unknown@207.46.100.28)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 16 Feb 2013 22:51:34 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfa.frontbridge.com designates 207.46.100.28 as permitted sender)
Received: from BY2FFO11FD014.protection.gbl (10.1.15.202) by
 BY2FFO11HUB026.protection.gbl (10.1.14.112) with Microsoft SMTP Server (TLS)
 id 15.0.620.12; Sat, 16 Feb 2013 22:51:29 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by
 BY2FFO11FD014.mail.protection.outlook.com (10.1.14.76) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sat, 16 Feb 2013 22:51:29
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id
 14.02.0318.003; Sat, 16 Feb 2013 22:51:26 +0000
From: Marsh Ray <maray@microsoft.com>
To: Jens Christian Hillerup <jens@hillerup.net>, Jens Steube
	<jens.steube@gmail.com>
CC: "discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8XUUAgAC1qGA=
Date: Sat, 16 Feb 2013 22:51:25 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
In-Reply-To: <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(24454001)(199002)(189002)(15594001)(13464002)(52314002)(51704002)(20776003)(51856001)(59766001)(80022001)(76482001)(47976001)(44976002)(31966008)(47736001)(50986001)(50466001)(49866001)(53806001)(77982001)(23726001)(54356001)(66066001)(63696002)(47776003)(47446002)(5343635001)(551544001)(561944001)(74662001)(4396001)(46102001)(33656001)(56776001)(55846006)(54316002)(16406001)(46406002)(79102001)(56816002)(74502001)(15202345001)(65816001);DIR:OUT;SFP:;SCL:1;SRVR:BY2FFO11HUB026;H:TK5EX14HUBC105.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0759F7A50A
Subject: RE: [PHC] Different cost settings and optional input


> -----Original Message-----
> From: jenschristian@gmail.com [mailto:jenschristian@gmail.com] On Behalf
>=20
> However, this attack is not that important I'd argue, because if two equa=
l
> passwords *exist* it is likely that that password is in some dictionary a=
nyway,
> or that they originate from the same person.

Without disagreeing with your point, I thought I'd take the opportunity to =
dig up some anecdotes:

>From http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-li=
st-top.html :
>
> Per Thorsheim wrote:
> > I would like to see a comparison of Twitters 370 banned passwords
> > against the top 370 or so passwords stolen from rockyou (http://www.tec=
hcrunch.com/2009/12/27/twitter-banned-passwords/)
>
> A grand total of 38 of the top 100 passwords did not appear in the Twitte=
r blacklist.

Solar would probably have a better sense of things, but my feeling is that =
probably of all the passwords that have been chosen by exactly two users in=
dependently, most of them are not in a dictionary.

I've tried to convince people of the merits of the following scheme:
Use a fixed salt or otherwise allow the comparison of hashes.
Maintain a dictionary or other database of 'seen' hashes across all users. =
Incorporate the latest breaches into your dictionary.
If new user B selects a password (or it appears in a new breach) that is th=
e same as existing user A, force B to select another one and immediately *d=
isable* user A until A successfully performs a password reset operation.

No one seems to care much for this proposal though :-)

- Marsh


From per@thorsheim.net  Sam fÃ©v 16 23:25:36 2013 +0000
Return-Path: <per@thorsheim.net>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 17687 invoked by uid 89); 16 Feb 2013 23:25:36 -0000
Received: by simscan 1.4.0 ppid: 17681, pid: 17683, t: 0.2739s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO smtp.domeneshop.no) (194.63.252.54)
  by qmailtoaster.cryptyx.com with (AES256-SHA encrypted) SMTP; 16 Feb 2013 23:25:36 -0000
Received-SPF: softfail (qmailtoaster.cryptyx.com: transitioning SPF record at thorsheim.net does not designate 194.63.252.54 as permitted sender)
Received: from 213.24.202.84.customer.cdi.no ([84.202.24.213] helo=[192.168.1.145])
	by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.72)
	(envelope-from <per@thorsheim.net>)
	id 1U6r8Q-0007pE-R9; Sun, 17 Feb 2013 00:25:34 +0100
Message-ID: <51201575.2080402@thorsheim.net>
Date: Sun, 17 Feb 2013 00:25:41 +0100
From: Per Thorsheim <per@thorsheim.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
CC: Marsh Ray <maray@microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Different cost settings and optional input

Den 16.02.2013 23:51, skrev Marsh Ray:
> I've tried to convince people of the merits of the following scheme: 
> Use a fixed salt or otherwise allow the comparison of hashes. Maintain 
> a dictionary or other database of 'seen' hashes across all users. 
> Incorporate the latest breaches into your dictionary. If new user B 
> selects a password (or it appears in a new breach) that is the same as 
> existing user A, force B to select another one and immediately 
> *disable* user A until A successfully performs a password reset 
> operation. No one seems to care much for this proposal though :-) - Marsh 

Ooh. I'd like to see an expanded explanation of that idea Marsh, 
specifically the potential consequences to security usabiliity. Am I 
reading it wrong, or could an attacker exploit your suggestion to 
actually search for 'blacklisted' passwords by trying to create an 
account legally? Perhaps better than Twitter incorporating a client-side 
blacklist of static passwords, but still....

--

This reminds me of a quick discussion I had with Colin Percival at 
Passwords^12, related to 1 of the many subjects I touched into in my 
talk: password history.

(I do not know if this is suitable or relevant for discussions here, so 
I'll just throw it in for consideration.)

For Microsoft Windows, you can extract not only a users current password 
hash (LM/NTLM), but also the complete history of password hashes. (Lets 
forget about pass-the-hash attacks for a moment here). That is - afaik - 
the number of hashes remembered in accordance with the password history 
parameter config. IMHO the more pwd hashes for a single user an attacker 
can obtain, the higher the probability an attacker will break one or 
more, and then eventually spot patterns enabling successful cracking of 
even more hashes.

I do prefer having the option available. Especially in case of a major 
compromise I'd like all users to change their passwords. If they are 
allowed to change their password into the same password as before,  
we're dead. But if users can just use the common password +1 trick, 
getting back in really doesn't represent much of a challenge for an 
attacker - he knows your next password.

If I do remember Colin correctly, he mentioned storing just parts of a 
hash value for previous passwords, as part of a password history scheme. 
This would prevent an attacker from cracking previous passwords, while 
leaving a certain risk of enabling users to change their password into 
their current password.

I have no idea on how this could be done, but in case of a major 
compromise and complete pwd reset, I'd like to prevent users from 
setting a new password that is either equal to, or very 'close' to any 
of the passwords they've used before.

Regards,
Per Thorsheim


From solar@openwall.com  Sam fÃ©v 16 23:26:02 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 17817 invoked by uid 89); 16 Feb 2013 23:26:02 -0000
Received: by simscan 1.4.0 ppid: 17811, pid: 17813, t: 0.4866s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 16 Feb 2013 23:26:01 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 1748 invoked from network); 16 Feb 2013 23:26:00 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2013 23:26:00 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 1A2FD6FB04; Sun, 17 Feb 2013 03:25:58 +0400 (MSK)
Date: Sun, 17 Feb 2013 03:25:58 +0400
From: Solar Designer <solar@openwall.com>
To: Marsh Ray <maray@microsoft.com>
Cc: "discussions@password-hashing.net" <discussions@password-hashing.net>,
	Milen Rangelov <gat3way@gmail.com>
Message-ID: <20130216232558.GA2457@openwall.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <20130216142415.GA29200@openwall.com> <218AE73F98E99C4C98AF7D5166AA798E09036F25@TK5EX14MBXC286.redmond.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036F25@TK5EX14MBXC286.redmond.corp.microsoft.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Different cost settings and optional input

On Sat, Feb 16, 2013 at 10:29:37PM +0000, Marsh Ray wrote:
> I've heard of people using password hashing schemes that attempt to add encrypted elements or other secrecy for the resulting hash values. One popular formulation is to keep the salt secret and treat it as a per-hash key. This is usually done by folks coming from a SQL database background who are looking at defending against pure SQLi attacks.

We're trying to carefully refer to this second salt as a local parameter,
so that no one is tempted to make it the only salt.  It is not a
replacement for per-user salts.  I think it makes sense for some PHC
submissions to support both a per-user salt and an optional local
parameter as two separate inputs.

> Some schemes allow the defender to increase the work factor by adding more iterations. Of course, if he fails to destroy the old hashes before the attacker obtains them, he's only increased the work for himself.

Right.  However, if a hashing scheme does not allow for work factor
increase without knowledge of the password, then such increases are
achieved by stacking multiple instances of a password hashing scheme (or
of 2+ different ones even), which is not any better as it relates to the
need to wipe old (lower work factor) hashes.  So there's no additional
harm in providing this feature in a password hashing scheme; it's just
cleaner than the stacking.

> I have also heard of people (I think in a discussion on Hacker News) building trapdoors into their hash functions such that the knowledge of a secret key (say, kept in an HSM) could be used to reduce the work factor for the defender.

I think this is up to them, not a PHC topic.

As it relates to PHC submissions, I think it'd be OK to see some where
trapdoors (fully documented ones, indeed!) are used to allow for
increase of the memory cost (without knowledge of the password, indeed).
(Wipe a trapdoor key(*) to force both the defender and the attacker to use
a higher memory cost algorithm to compute the hashes.)  Maybe someone
manages to design and implement this in an elegant and compact way.  If
so, we might evaluate this as something positive.  I am skeptical, though.

(*) Could be per-hash, and the wiping could be e.g. of just 1 bit of
"key" stored with each hash, which would e.g. double the memory cost by
introducing this much uncertainty over which half of a bigger array the
memory accesses for the unknown correct password should fall into.

> I don't think any features which could be added with simple encryption or keeping multiple hashes around should be considered part of the PHC itself. I don't see these features have general utility, unless it proves truly popular enough to benefit from standardization.

We may have a chicken-egg problem here.  If there's an elegant and
compact PHC submission that possesses some of these optional extra
features, _then_ maybe they'd become reasonable to use and popular.

That said, I agree that many/most PHC submissions may be simple ones,
without the extras, and we're likely to favor them for the simplicity.

> > 2. There may be time-memory trade-offs.  If someone clever comes up with
> > a password hashing scheme where an existing hash may be transformed to a
> > higher CPU cost but lower memory cost, or vice versa, without knowledge of
> > the password - this may be fine, as long as this property is known and
> > considered in the evaluation.  A password hashing scheme should not be
> > automatically disqualified, nor necessarily discouraged, just for possessing
> > this property.  In some cases, this property may be useful.
[...]

> We will likely see submissions with these features and should probably have a plan in advance as to whether or not they will be considered beneficial. Unfortunately, if we award any points for such flexibility then probably the serious entrants will feel compelled to add them.

Are we going to be awarding points at all?  Is this how we'll be
determining the winner(s)?  Maybe, or maybe not.

If we do use a points system, I'd expect us to also be taking away
points for excessive complexity.  So if the "serious entrants" add the
questionable optional features for extra points, they should also know
that they may lose points on the resulting excessive complexity.
However, if they manage to support some optional extras _without_ a
complexity increase, they may legitimately be considered superior.

I do expect us to judge based primarily on the required functionality
and security aspects, with the extras treated as relatively unimportant.

> > As to TMTOs in general, there are some pros and cons to having and not
> > having them in a password hashing scheme.  (In fact, "not having" only
> > means that the TMTOs are such that they're not lucrative for almost any
> > attacker.  Not that they literally don't exist.)  I expect that some of the
> > submissions of sequential memory-hard schemes will (deliberately?) allow
> > for TMTOs, some will (deliberately?) defeat TMTOs, and some will have a
> > Boolean parameter controlling that.  All of these are welcome.
> 
> It's really interesting stuff. Still, I'm inclined to discourage giving the developer lots of knobs to turn.

I agree that having too many knobs will result in more misuses, but
FYI I found scrypt with its three knobs not flexible enough - I want
more knobs (specific ones) for some specific uses - well, or I'd have to
hard-code some changes, without supporting scrypt proper.

The solution may be in providing multiple interfaces (wrapper
functions?) to the password hashing scheme - and recommending that
people use the one with the lowest number of knobs that they need (we'll
provide sane defaults for the rest of the knobs then).

Alexander

From epixoip@bindshell.nl  Sam fÃ©v 16 23:27:16 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 17932 invoked by uid 89); 16 Feb 2013 23:27:16 -0000
Received: by simscan 1.4.0 ppid: 17926, pid: 17928, t: 0.5974s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Feb 2013 23:27:16 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id 883D93C1E13;
	Sat, 16 Feb 2013 15:13:04 -0800 (PST)
Message-ID: <512015B3.3030705@bindshell.nl>
Date: Sat, 16 Feb 2013 15:26:43 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Marsh Ray <maray@microsoft.com>
CC: Jens Christian Hillerup <jens@hillerup.net>, 
 Jens Steube <jens.steube@gmail.com>,
 "discussions@password-hashing.net" <discussions@password-hashing.net>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Different cost settings and optional input

On 2/16/2013 2:51 PM, Marsh Ray wrote:
>> -----Original Message-----
>> From: jenschristian@gmail.com [mailto:jenschristian@gmail.com] On Behalf
>>
>> However, this attack is not that important I'd argue, because if two equal
>> passwords *exist* it is likely that that password is in some dictionary anyway,
>> or that they originate from the same person.
> A grand total of 38 of the top 100 passwords did not appear in the Twitter blacklist.
> Solar would probably have a better sense of things, but my feeling is that probably of all the passwords that have been chosen by exactly two users independently, most of them are not in a dictionary.

There was at least a 21% overlap between LinkedIn passwords, and
passwords leaked on other sites. And an additional 31%+ were simple
permutations of passwords used on other sites (e.g., + 1.)  Just
something to think about.

> I've tried to convince people of the merits of the following scheme:
> Use a fixed salt 

Fixed salts would give the attacker an advantage, and ultimately defeat
the purpose of salting.

> or otherwise allow the comparison of hashes.
> Maintain a dictionary or other database of 'seen' hashes across all users. 

This could easily backfire on you. Any mechanism you employ that enables
you to know if two users have the same password, will also enable an
attacker to know if two users have the same password. Building a
dictionary for the defender also builds a dictionary for the attacker.

> Incorporate the latest breaches into your dictionary.

We recently helped a customer implement this functionality, except the
check is done against the blacklist before hashing, not after. If the
user selects a password that has been compromised on another website,
the password is simply rejected and the user is told to select another
password.

This check is also performed upon authentication as well (again,
pre-hashing), so that the next time the user authenticates, they are
notified that their password has been compromised on another site, and
are prompted to reset their password.

Thankfully we are not on the hook for maintaining this blacklist though.

> If new user B selects a password (or it appears in a new breach) that is the same as existing user A, force B to select another one and immediately *disable* user A until A successfully performs a password reset operation.
>
> No one seems to care much for this proposal though :-)

Yes, I can see how that proposal would not be very popular :)

Jeremi

From Jeffrey@goldmark.org  Dim fÃ©v 17 06:45:22 2013 +0000
Return-Path: <Jeffrey@goldmark.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 8334 invoked by uid 89); 17 Feb 2013 06:45:21 -0000
Received: by simscan 1.4.0 ppid: 8328, pid: 8330, t: 0.2614s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO out1-smtp.messagingengine.com) (66.111.4.25)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Feb 2013 06:45:21 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at goldmark.org designates 66.111.4.25 as permitted sender)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 40EF220915;
	Sun, 17 Feb 2013 01:45:20 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute1.internal (MEProxy); Sun, 17 Feb 2013 01:45:20 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=goldmark.org; h=
	content-type:mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to; s=mesmtp;
	 bh=vBFV5MQ+JeS5f3YiZk0kYfDsSeI=; b=QzgKLYyPh+cjGlSIjv5MoxaG/qOK
	RP0LhU4mGZwHayVqctsrBYQrerp+c1SV3xLzHTCMnJwq1t/a419cvMM6yLOJtCNX
	ldUIYNUEDr2HBvtwIoW9yQtZWxtEkMyM36tSvHUT5gCk93RV6RFYYOWA8GozU60T
	92XCmA0jxPLg7Ps=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:mime-version:subject:from
	:in-reply-to:date:cc:content-transfer-encoding:message-id
	:references:to; s=smtpout; bh=vBFV5MQ+JeS5f3YiZk0kYfDsSeI=; b=RD
	sBfcuXIjP+aNryU0n38l1TtfYrPM4k1zyFfnajOFK6mrZo4JY81KGeZCCwhndrCr
	S/KsM60HaOykU5or4zldpD9rG1sGR5czi0fyRAT8DQ32yynFEhSOqujhAD36xkjU
	2T93h6kjJo0vmQBxbwMJhdD4QW+kEm3WYeB7u5v1Y=
X-Sasl-enc: I9Olj1FxmTa8zX/+YfeQxMmEIbC4QPh3ve5N1etJYf3E 1361083519
Received: from olympe.ewd.goldmark.org (unknown [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTPA id C3B2B482627;
	Sun, 17 Feb 2013 01:45:19 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Jeffrey Goldberg <Jeffrey@goldmark.org>
In-Reply-To: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
Date: Sun, 17 Feb 2013 00:45:16 -0600
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Transfer-Encoding: quoted-printable
Message-Id: <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Any "large verifiers" on the panel?

On 2013-02-16, at 10:34 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> =
wrote:

> Jeffrey Goldberg <Jeffrey@goldmark.org> writes:
>=20
>> Basically, it would be really sucky to settle upon a winner and then =
have
>> sites and services say, "we won't use that because we can't manage =
our
>> verification costs the way we need to."
>=20
> This is why I asked for an asymmetric option for the CFP, alongside =
the O( n )
> everywhere for smaller sites we also need an O( 1 ) on the server, O( =
n ) on
> the client for larger users, so some sort of trapdoor-function =
iterated-
> hashing mechaism perhaps.

I am neither a cryptographer nor a hacker, so forgive me if this =
question
is naive. Any asymmetric scheme will require some secret key to be =
available to
the legitimate verifier at verification time (right?). And if so, =
shouldn't we=20
expect that the same compromises that would get the password hashes =
would also get
at that secret?

If there is something that I'm missing here, please feel free to point =
me toward what
I should be reading.

Thanks!

-j


From maray@microsoft.com  Dim fÃ©v 17 07:18:24 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 9600 invoked by uid 89); 17 Feb 2013 07:18:24 -0000
Received: by simscan 1.4.0 ppid: 9594, pid: 9596, t: 1.2823s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE,SARE_MILLIONSOF
	autolearn=no version=3.2.5
Received: from unknown (HELO na01-by2-obe.outbound.protection.outlook.com) (unknown@207.46.100.31)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 17 Feb 2013 07:18:22 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfa.frontbridge.com designates 207.46.100.31 as permitted sender)
Received: from BY2FFO11FD022.protection.gbl (10.1.15.201) by
 BY2FFO11HUB021.protection.gbl (10.1.14.108) with Microsoft SMTP Server (TLS)
 id 15.0.620.12; Sun, 17 Feb 2013 07:18:18 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by
 BY2FFO11FD022.mail.protection.outlook.com (10.1.15.211) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sun, 17 Feb 2013 07:18:18
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id
 14.02.0318.003; Sun, 17 Feb 2013 07:18:16 +0000
From: Marsh Ray <maray@microsoft.com>
To: Jeremi Gosney <epixoip@bindshell.nl>
CC: Jens Christian Hillerup <jens@hillerup.net>, Jens Steube
	<jens.steube@gmail.com>, "discussions@password-hashing.net"
	<discussions@password-hashing.net>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8XUUAgAC1qGCAAA7LgIAAd8hg
Date: Sun, 17 Feb 2013 07:18:15 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
 <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <512015B3.3030705@bindshell.nl>
In-Reply-To: <512015B3.3030705@bindshell.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(13464002)(69234002)(189002)(199002)(15594001)(52314002)(51704002)(561944001)(46406002)(55846006)(20776003)(23726001)(31966008)(44976002)(79102001)(54356001)(74662001)(46102001)(551544001)(47776003)(74502001)(16406001)(47446002)(63696002)(53806001)(66066001)(65816001)(51856001)(77982001)(59766001)(80022001)(33656001)(54316002)(50986001)(47736001)(47976001)(49866001)(56816002)(4396001)(50466001)(56776001)(76482001)(550254004);DIR:OUT;SFP:;SCL:1;SRVR:BY2FFO11HUB021;H:TK5EX14MLTC104.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;MX:1;A:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07607ED19A
Subject: RE: [PHC] Different cost settings and optional input

> -----Original Message-----
> From: Solar Designer [mailto:solar@openwall.com]
> We may have a chicken-egg problem here.  If there's an elegant and compac=
t
> PHC submission that possesses some of these optional extra features,
> _then_ maybe they'd become reasonable to use and popular.

Yeah, good point.

> That said, I agree that many/most PHC submissions may be simple ones,
> without the extras, and we're likely to favor them for the simplicity.

> Are we going to be awarding points at all?  Is this how we'll be determin=
ing
> the winner(s)?  Maybe, or maybe not.

I have no idea, except that fairness requires us to document the criteria a=
s well as possible in advance.

It may be that, like the SHA-3 competition, we learn a lot during the proce=
ss itself. Therefore, having multiple rounds of the competition will be imp=
ortant.

> I agree that having too many knobs will result in more misuses, but FYI I
> found scrypt with its three knobs not flexible enough - I want more knobs
> (specific ones) for some specific uses - well, or I'd have to hard-code s=
ome
> changes, without supporting scrypt proper.

It may be that you dealing with specialized uses and thus not really the ta=
rget audience for the recommended result of the PHC :-)

> The solution may be in providing multiple interfaces (wrapper
> functions?) to the password hashing scheme - and recommending that
> people use the one with the lowest number of knobs that they need (we'll
> provide sane defaults for the rest of the knobs then).

I'll probably be saying this often: I think the biggest challenge initially=
 is just defining a model where we can evaluate the effectiveness of the kn=
obs that we *can* reasonably define the behavior of. E.g., CPU-hard, RAM-si=
ze-hard, RAM-latency-hard, GPU-unfriendly, FPGA-unfriendly, ASIC-unfriendly=
 and all this relative to defender's-hardware-friendly.

We may end up having to define some of this in terms of assumptions about t=
he defender's hardware.


> -----Original Message-----
> From: Jeremi Gosney [mailto:epixoip@bindshell.nl]
>=20
> Yes, I can see how that proposal would not be very popular :)

It was more of a thought experiment, but hopefully not one completely disco=
nnected to reality.

My impression is about half the users can be expected to choose one of the =
top 10000 most common passwords. 10k trials takes, what, microseconds on a =
single GPU? Take the LinkedIn breach for example: millions of unsalted SHA-=
1 hashes. About half were cracked in the first few minutes to a day. The ne=
xt batch to 70-80% took a few weeks. Probably 10-5% will never be cracked.

Salting for Linkedin would have increased the difficulty for the attackers =
*hardly at all*. GPU cracking has gotten so fast that precomputed rainbow t=
ables often not even worth the trouble. When you can compute Gigahashes per=
 second on a single video card, a dictionary proves to be more trouble than=
 it's worth for the initial pass.

Sure LinkedIn could have imposed a reasonable work factor...but how many mo=
re servers are they willing to deploy to handle on the massive number of lo=
gins they process?

So if a defender said "forget the salt...we'll thwart dictionary attacks by=
 preventing duplicate passwords", could he possibly be better off with this=
 strategy?

This alternate non-salt solution to the problem of preventing precomputatio=
n and observing duplicate passwords simply ensures that duplicate passwords=
 (and those appearing in other breaches) are not allowed. This is a 'tough =
love' policy applied to the users because it means they can't register twic=
e with the same password. But that's not a serious problem is it? The user =
could just append their username and it's probably against the ToS anyway, =
right? The users' credentials are probably far more at risk because he uses=
 the same password on multiple sites (like Linkedin).

But when new user B independently chooses existing user A's password, we kn=
ow two things: that the password is not unguessable and probably worth addi=
ng to a dictionary. We can't allow B to use it. We also have informed B tha=
t some user account has that password, and so to protect A we need to disab=
le him until he chooses another one via a second factor of authentication (=
could be as simple as the 'forgot my password' email reset process).

So...salts aren't always be the big win they look like on paper because cra=
cking tools have gotten far more faster than users have gotten better at ge=
nerating and remembering entropic strings.

Again, it's a thought experiment.

- Marsh


From maray@microsoft.com  Dim fÃ©v 17 07:29:42 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10029 invoked by uid 89); 17 Feb 2013 07:29:41 -0000
Received: by simscan 1.4.0 ppid: 10023, pid: 10025, t: 0.4263s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-bl2-obe.outbound.protection.outlook.com) (unknown@65.55.169.32)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 17 Feb 2013 07:29:41 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfb.frontbridge.com designates 65.55.169.32 as permitted sender)
Received: from BL2FFO11FD012.protection.gbl (10.173.161.201) by
 BL2FFO11HUB039.protection.gbl (10.173.160.245) with Microsoft SMTP Server
 (TLS) id 15.0.620.12; Sun, 17 Feb 2013 07:29:27 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD012.mail.protection.outlook.com (10.173.161.18) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sun, 17 Feb 2013 07:29:27
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id
 14.02.0318.003; Sun, 17 Feb 2013 07:29:26 +0000
From: Marsh Ray <maray@microsoft.com>
To: Jeffrey Goldberg <Jeffrey@goldmark.org>,
	"discussions@password-hashing.net" <discussions@password-hashing.net>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [PHC] Any "large verifiers" on the panel?
Thread-Index: AQHODNpY+fzqBOvqYEiTJC9VG1K/qJh9pHYA
Date: Sun, 17 Feb 2013 07:29:24 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09036FCB@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
 <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
In-Reply-To: <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(52044001)(13464002)(189002)(51704002)(199002)(56776001)(33656001)(47736001)(50466001)(56816002)(49866001)(4396001)(51856001)(63696002)(50986001)(47976001)(55846006)(20776003)(16406001)(76482001)(59766001)(46406002)(77982001)(65816001)(47446002)(74502001)(80022001)(74662001)(46102001)(54316002)(53806001)(551544001)(23726001)(79102001)(31966008)(54356001)(47776003)(44976002)(66066001);DIR:OUT;SFP:;SCL:1;SRVR:BL2FFO11HUB039;H:TK5EX14MLTC102.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;MX:1;A:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07607ED19A
Subject: RE: [PHC] Any "large verifiers" on the panel?

> -----Original Message-----
>=20
> I am neither a cryptographer nor a hacker, so forgive me if this question=
 is
> naive. Any asymmetric scheme will require some secret key to be available=
 to
> the legitimate verifier at verification time (right?). And if so, shouldn=
't we
> expect that the same compromises that would get the password hashes
> would also get at that secret?
>=20
> If there is something that I'm missing here, please feel free to point me
> toward what I should be reading.

It doesn't matter that you're not a cryptographer, you're right on the mone=
y from a common-sense practical perspective.

Encryption is a device for converting a plaintext secrecy problem into a se=
cret key management problem. Keys are usually much smaller than plaintexts =
and you can distribute them ahead of time, so this is sometimes a very usef=
ul trade to make.

But if you still need the key live and accessible to the online service, yo=
u've still got basically the same exposure. HSMs (hardware security modules=
) are sometimes a good way to keep a secret key and use it too. However, th=
ey're still just a computer at heart have to be willing to follow external =
instructions from on-line systems. For example, Comodo and DigiNotar had th=
eir private keys in an HSM and yet the attacker was still able to accomplis=
h his goals by forging requests that the HSM was obliged to obey.

- Marsh

From maray@microsoft.com  Dim fÃ©v 17 07:45:16 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10652 invoked by uid 89); 17 Feb 2013 07:45:15 -0000
Received: by simscan 1.4.0 ppid: 10645, pid: 10648, t: 0.6073s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-by2-obe.outbound.protection.outlook.com) (unknown@207.46.100.29)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 17 Feb 2013 07:45:15 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfa.frontbridge.com designates 207.46.100.29 as permitted sender)
Received: from BL2FFO11FD020.protection.gbl (10.173.161.202) by
 BL2FFO11HUB034.protection.gbl (10.173.161.114) with Microsoft SMTP Server
 (TLS) id 15.0.620.12; Sun, 17 Feb 2013 07:45:10 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD020.mail.protection.outlook.com (10.173.161.38) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sun, 17 Feb 2013 07:45:10
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id
 14.02.0318.003; Sun, 17 Feb 2013 07:45:08 +0000
From: Marsh Ray <maray@microsoft.com>
To: Jeffrey Goldberg <Jeffrey@goldmark.org>,
	"discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Any "large verifiers" on the panel?
Thread-Index: AQHODF6l+fzqBOvqYEiTJC9VG1K/qJh9qGZw
Date: Sun, 17 Feb 2013 07:45:08 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09036FE5@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
In-Reply-To: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(13464002)(51704002)(60454001)(377454001)(199002)(189002)(49866001)(50986001)(47976001)(50466001)(23726001)(46406002)(47736001)(4396001)(79102001)(55846006)(76482001)(77982001)(59766001)(51856001)(54356001)(53806001)(80022001)(46102001)(66066001)(63696002)(65816001)(16406001)(20776003)(47776003)(5343645001)(56776001)(33656001)(56816002)(31966008)(54316002)(74662001)(551544001)(44976002)(74502001)(47446002);DIR:OUT;SFP:;SCL:1;SRVR:BL2FFO11HUB034;H:TK5EX14HUBC101.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07607ED19A
Subject: RE: [PHC] Any "large verifiers" on the panel?

> -----Original Message-----
> From: Jeffrey Goldberg [mailto:Jeffrey@goldmark.org]
> Sent: Saturday, February 16, 2013 10:00 AM
> To: discussions@password-hashing.net
> Subject: [PHC] Any "large verifiers" on the panel?
>=20
> I'm not familiar with everyone on the panel, but I think it would be usef=
ul to
> have someone with an understanding of having to deal with a large number
> of legitimate authentication sessions.

I'm with PhoneFactor, we're a two-factor authentication company recently ac=
quired by Microsoft.

While I'm not at liberty to disclose the exact number of password authentic=
ations we process, I can say that it really comes down to deciding how much=
 CPU load you're willing to put on the system. Many systems, you specify a =
password only once to login, and everything after that is done with cookies=
. So even a very high work factor setting may not represent a noticeable hi=
t on overall server load.

In my case, as a developer, I basically used my knowledge of our workload a=
nd said "Hmm I think I could get away with burning NNN milliseconds on each=
 password validation", so I set the CPU work factor there (pretty high). Ou=
r operations staff has yet to notice or complain, but it will ultimately re=
sult in us needing more servers as we work frantically to scale up to "Micr=
osoft scale".

Another anecdote comes from Moxie Marlinspike when he was at Twitter. We we=
re discussing memory-hard password hashing functions, and his response was =
to the effect of "yeah we would definitely not be able to handle near as ma=
ny simultaneous auths as we do now if the shared memory bus of the multicor=
e server were constantly saturated."

- Marsh

From trevp@trevp.net  Dim fÃ©v 17 08:00:33 2013 +0000
Return-Path: <trevp@trevp.net>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 11379 invoked by uid 89); 17 Feb 2013 08:00:33 -0000
Received: by simscan 1.4.0 ppid: 11373, pid: 11375, t: 0.3364s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-we0-f179.google.com) (74.125.82.179)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 17 Feb 2013 08:00:33 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at trevp.net does not designate permitted sender hosts)
Received: by mail-we0-f179.google.com with SMTP id p43so2180267wea.24
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 00:00:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=tJAXGg5n5WbJRGQ7XBDsFzlso57OHi7Pnmfi3w+aiBQ=;
        b=jNOXfcTh/WIbbW3HxvY+zAt6s0XmDnIhGGKoNFGfpFpGf3+G+hq6oor3qo7jGMyRE/
         G5r91hQmNmFQmvMkRR3KftQ2hh/El1ocHXh97191vb8Dwj9CamtbfoyZc5f4gwtCkikM
         NbfTvHXRvZZ2nlEXSsO+zm0/9bB+zvquD8+JNYbEOc2BKxPxEEPIuZcv3Hqy3+s2JOTi
         tQezaKVPdBlA+x/2xKM0WjWT/vayrmp583lmGqrB7xFP1mrdtyQLGomliNymoYrT3zRi
         KWAc4LfS9MbI30UrE1Oh/aH3Hu6tz4x/LAHJg36NKIslR6qctSG5jb0l8UmqS0JAEXxH
         Zqyw==
MIME-Version: 1.0
X-Received: by 10.194.122.199 with SMTP id lu7mr12413156wjb.42.1361088032614;
 Sun, 17 Feb 2013 00:00:32 -0800 (PST)
Received: by 10.217.3.139 with HTTP; Sun, 17 Feb 2013 00:00:32 -0800 (PST)
X-Originating-IP: [66.127.230.131]
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
	<CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
	<218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
	<512015B3.3030705@bindshell.nl>
	<218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Sun, 17 Feb 2013 00:00:32 -0800
Message-ID: <CAGZ8ZG0u5MbSD3dsthajNf41=UudT4fP5ky1RgiAk0aUSSHMTw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Marsh Ray <maray@microsoft.com>
Cc: Jeremi Gosney <epixoip@bindshell.nl>, Jens Christian Hillerup <jens@hillerup.net>, 
	Jens Steube <jens.steube@gmail.com>, 
	"discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQlWNbo8mFxeUsRjw8AEfNoi6Z2DBou8qVuK6Y6/uK8+Bk2Th8Zs2ZTLKqT6sYSVmrcV1IBh
Subject: Re: [PHC] Different cost settings and optional input

On Sat, Feb 16, 2013 at 11:18 PM, Marsh Ray <maray@microsoft.com> wrote:
>
>> Are we going to be awarding points at all?  Is this how we'll be determining
>> the winner(s)?  Maybe, or maybe not.
>
> I have no idea, except that fairness requires us to document the criteria as well as possible in advance.
>
> It may be that, like the SHA-3 competition, we learn a lot during the process itself. Therefore, having multiple rounds of the competition will be important.

To Marsh's point -

Would it be worth having quicker (and perhaps more) competition rounds?

The current timeline is:
 ~1 year for proposals
 ~1 more year for selection

If most submissions are built atop standard crypto, then extensive
cryptanalysis shouldn't be required.  I'd think the main effort will
be evaluating strategies for maximizing the attacker-hardness /
good-guy easiness ratio.

So might it be valuable to get some rough candidates quickly - perhaps
a "trial round" of submissions in 3 or 6 months, so people can get a
sense of the design space, and start developing evaluation metrics and
testbeds?


Trevor

From steve@tobtu.com  Dim fÃ©v 17 08:03:25 2013 +0000
Return-Path: <steve@tobtu.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 11592 invoked by uid 89); 17 Feb 2013 08:03:25 -0000
Received: by simscan 1.4.0 ppid: 11586, pid: 11588, t: 0.4558s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=4.0 tests=HTML_MESSAGE,RDNS_NONE,
	SARE_MILLIONSOF autolearn=no version=3.2.5
Received: from unknown (HELO mout.perfora.net) (74.208.4.194)
  by qmailtoaster.cryptyx.com with SMTP; 17 Feb 2013 08:03:25 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at tobtu.com does not designate permitted sender hosts)
Received: from oxuslxltgw00.lxa.perfora.net (oxuslxltgw00.lxa.perfora.net [172.19.206.3])
	by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis)
	id 0LkwUH-1UhPxu2SsH-00afRa; Sun, 17 Feb 2013 03:03:23 -0500
Date: Sun, 17 Feb 2013 02:03:23 -0600 (CST)
From: Steve Thomas <steve@tobtu.com>
Reply-To: Steve Thomas <steve@tobtu.com>
To: discussions@password-hashing.net
Message-ID: <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com> <512015B3.3030705@bindshell.nl> <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_1027772_1073501403.1361088203504"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v6.20.7-Rev8
X-Provags-ID: V02:K0:1Par/w+DtZeDK7kbaLUZZ4dH+rbCR+Q4qsXpPN8uhpN
 hsJ2pTV5Ffbm7ky/mkYoHn3YNUgmiEMga9+sfvfnAgQca4JE5s
 ReeCpa0prg4SaqP4A6hMno93+SPS0mf1WB/ZiQeU+4B195f2Ks
 l3rMZS3AidF+5yBv2pKMsFYdNluAT/ozzVu8hFc7ltRMoG1nqI
 d3FI698OH47sE2Xi514Td+qt47cZxthCt+2rl+dnkrkv91ZlLp
 /feOX4nO5npWJ7+HARt8LODT2GtUebAqGn3tm35g+SM0ZIgVv1
 DaMNOcNqANM9aFqmEU48taDO+zvXklcDk6vhyBtY3NiIEa8QI0
 IiLoXXJujBt7Wjxn8ZxQGF3URN5byCnT97Na3kM9vsR28Zvi0Y
 15yqm/w5YyHp3wZ2DvZZVfCbkmdPZNGNXWYAzguaAWe4L3USiy
 gel09
Subject: RE: [PHC] Different cost settings and optional input

------=_Part_1027772_1073501403.1361088203504
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On February 17, 2013 at 1:18 AM Marsh Ray <maray@microsoft.com> wrote:
> > -----Original Message-----
> > From: Jeremi Gosney [mailto:epixoip@bindshell.nl]
> >
> > Yes, I can see how that proposal would not be very popular :)
>
> It was more of a thought experiment, but hopefully not one completely
> disconnected to reality.
>
> My impression is about half the users can be expected to choose one of the top
> 10000 most common passwords. 10k trials takes, what, microseconds on a single
> GPU? Take the LinkedIn breach for example: millions of unsalted SHA-1 hashes.
> About half were cracked in the first few minutes to a day. The next batch to
> 70-80% took a few weeks. Probably 10-5% will never be cracked.
>
> Salting for Linkedin would have increased the difficulty for the attackers
> *hardly at all*. GPU cracking has gotten so fast that precomputed rainbow
> tables often not even worth the trouble. When you can compute Gigahashes per
> second on a single video card, a dictionary proves to be more trouble than
> it's worth for the initial pass.
>
6,458,020 unique SHA1s were leaked from LinkedIn. So let's assume you are right
on 50% cracked in one minute. If it was properly salted the best case is it will
take 3,229,010 minutes (6,458,020 * 50%) or about six years. Granted crackers
would be smarter on their guesses so it would be less than six years to crack
50%.

> Sure LinkedIn could have imposed a reasonable work factor...but how many more
> servers are they willing to deploy to handle on the massive number of logins
> they process?
>
New CPUs can do probably better than 133,000,000 SHA1s/second. Just doing 1,000
rounds using a parallel hashing algorithm would mean that each CPU in each
server could login 133,000 users/second.
------=_Part_1027772_1073501403.1361088203504
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
 </head><body style="">
 
 
  <div>
   On February 17, 2013 at 1:18 AM Marsh Ray &#60;maray@microsoft.com&#62; wrote:
   <br/>&#62; &#62; -----Original Message-----
   <br/>&#62; &#62; From: Jeremi Gosney [mailto:epixoip@bindshell.nl]
   <br/>&#62; &#62;
   <br/>&#62; &#62; Yes, I can see how that proposal would not be very popular :)
   <br/>&#62;
   <br/>&#62; It was more of a thought experiment, but hopefully not one completely disconnected to reality.
   <br/>&#62;
   <br/>&#62; My impression is about half the users can be expected to choose one of the top 10000 most common passwords. 10k trials takes, what, microseconds on a single GPU? Take the LinkedIn breach for example: millions of unsalted SHA-1 hashes. About half were cracked in the first few minutes to a day. The next batch to 70-80% took a few weeks. Probably 10-5% will never be cracked.
   <br/>&#62;
   <br/>&#62; Salting for Linkedin would have increased the difficulty for the attackers *hardly at all*. GPU cracking has gotten so fast that precomputed rainbow tables often not even worth the trouble. When you can compute Gigahashes per second on a single video card, a dictionary proves to be more trouble than it&#39;s worth for the initial pass.
   <br/>&#62;
   <br/>6,458,020 unique SHA1s were leaked from LinkedIn. So let&#39;s assume you are right on 50% cracked in one minute. If it was properly salted the best case is it will take 3,229,010 minutes (6,458,020 * 50%) or about six years. Granted crackers would be smarter on their guesses so it would be less than six years to crack 50%.
   <br/>
   <br/>&#62; Sure LinkedIn could have imposed a reasonable work factor...but how many more servers are they willing to deploy to handle on the massive number of logins they process?
   <br/>&#62;
   <br/>New CPUs can do probably better than 133,000,000 SHA1s/second. Just doing 1,000 rounds using a parallel hashing algorithm would mean that each CPU in each server could login 133,000 users/second.
  </div>
 
</body></html>
------=_Part_1027772_1073501403.1361088203504--

From epixoip@bindshell.nl  Dim fÃ©v 17 08:21:34 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 12342 invoked by uid 89); 17 Feb 2013 08:21:33 -0000
Received: by simscan 1.4.0 ppid: 12336, pid: 12338, t: 0.6938s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Feb 2013 08:21:33 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id AAA2B3C1E13;
	Sun, 17 Feb 2013 00:07:20 -0800 (PST)
Message-ID: <512092E7.9020103@bindshell.nl>
Date: Sun, 17 Feb 2013 00:20:55 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Marsh Ray <maray@microsoft.com>
CC: Jens Christian Hillerup <jens@hillerup.net>, 
 Jens Steube <jens.steube@gmail.com>,
 "discussions@password-hashing.net" <discussions@password-hashing.net>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com> <512015B3.3030705@bindshell.nl> <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Different cost settings and optional input

On 2/16/2013 11:18 PM, Marsh Ray wrote:
> Salting for Linkedin would have increased the difficulty for the attackers *hardly at all*. [...] So...salts aren't always be the big win they look like on paper because cracking tools have gotten far more faster than users have gotten better at generating and remembering entropic strings.

False. Assuming a unique salt per user, salting would have slowed down
our attacks by a factor of 6.4 million. At the time that we were
cracking the LinkedIn hashes, I was pulling about 15.5 billion hashes
per second. With 6.4 million unique salts, I would have been reduced to
an effective rate of about 2.4 *thousand* per second.  At that rate it
would have taken over an hour and a half to just run through rockyou.txt
without any rules -- and 101 days just to run through rockyou.txt with
d3ad0ne.rule. Even with the GPU power that I have now (I can pull about
63 G/s with SHA-1) it still would take a full month to run through just
rockyou.txt with d3ad0ne.rule. And mind you, we have a *lot* more
horsepower than your typical password cracker.

That is what we call "crippling." A little salt goes a long way.

> GPU cracking has gotten so fast that precomputed rainbow tables often not even worth the trouble.

Agreed, but they are becoming more relevant now that we are able to
generate tables that are too large to distribute, and provide remote
chain lookups over the internet as a service. This is useful for lengths
that are too large to brute force in a reasonable amount of time, even
with lots of GPUs.

But rainbow tables is not what I had in mind when I said that using a
fixed salt defeats the purpose of salting. I meant you don't get the
benefit of dramatically slowing all other bulk attacks.

> When you can compute Gigahashes per second on a single video card, a dictionary proves to be more trouble than it's worth for the initial pass.

Well no, that's not true at all. We rely very heavily on our
dictionaries. Dictionary-based attacks are *always* the first pass --
and the second, and the third, and the fourth, and the fifth. All the
GPU means is that we can run more rule-based and hybrid attacks in a
shorter amount of time. Even with ungodly amounts of power, we rarely do
any brute forcing. And when we do, it's usually just for specific masks
and small keyspaces.

> So if a defender said "forget the salt...we'll thwart dictionary attacks by preventing duplicate passwords", could he possibly be better off with this strategy?

No. Just because you do not allow duplicate passwords on your site
doesn't mean these people aren't 1) re-using passwords on other sites,
and 2) aren't thinking like other people who use the same passwords on
other sites. People have been trained to pick passwords specific ways,
that's why the markov model works so well. If you prohibit people from
using Password1, they'll use Password!.  So if a straight dictionary
attack doesn't get the job done, a rule-based attack or hybrid attack
probably will.

> But when new user B independently chooses existing user A's password, we know two things: that the password is not unguessable and probably worth adding to a dictionary. We can't allow B to use it. We also have informed B that some user account has that password

Hmm, sounds like a great way for an attacker to start harvesting
passwords from a site without ever having to compromise it. ;)

Cheers,
Jeremi



From epixoip@bindshell.nl  Dim fÃ©v 17 08:31:00 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 12875 invoked by uid 89); 17 Feb 2013 08:30:59 -0000
Received: by simscan 1.4.0 ppid: 12869, pid: 12871, t: 0.3679s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Feb 2013 08:30:59 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id 62A093C1E13
	for <discussions@password-hashing.net>; Sun, 17 Feb 2013 00:16:47 -0800 (PST)
Message-ID: <5120951F.8000303@bindshell.nl>
Date: Sun, 17 Feb 2013 00:30:23 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
In-Reply-To: <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Any "large verifiers" on the panel?

On 2/16/2013 10:45 PM, Jeffrey Goldberg wrote:
> On 2013-02-16, at 10:34 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>
>> Jeffrey Goldberg <Jeffrey@goldmark.org> writes:
>>
>>> Basically, it would be really sucky to settle upon a winner and then have
>>> sites and services say, "we won't use that because we can't manage our
>>> verification costs the way we need to."
>> This is why I asked for an asymmetric option for the CFP, alongside the O( n )
>> everywhere for smaller sites we also need an O( 1 ) on the server, O( n ) on
>> the client for larger users, so some sort of trapdoor-function iterated-
>> hashing mechaism perhaps.
> I am neither a cryptographer nor a hacker, so forgive me if this question
> is naive. Any asymmetric scheme will require some secret key to be available to
> the legitimate verifier at verification time (right?). And if so, shouldn't we 
> expect that the same compromises that would get the password hashes would also get
> at that secret?

Correct. You have to assume that if the passwords are compromised, the
encryption key is as well.

From jeffrey@goldmark.org  Dim fÃ©v 17 19:26:33 2013 +0000
Return-Path: <jeffrey@goldmark.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 12588 invoked by uid 89); 17 Feb 2013 19:26:33 -0000
Received: by simscan 1.4.0 ppid: 12581, pid: 12584, t: 0.5904s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO out1-smtp.messagingengine.com) (66.111.4.25)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Feb 2013 19:26:32 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at goldmark.org designates 66.111.4.25 as permitted sender)
Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 1DEF920665
	for <discussions@password-hashing.net>; Sun, 17 Feb 2013 14:26:31 -0500 (EST)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160])
  by compute4.internal (MEProxy); Sun, 17 Feb 2013 14:26:31 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=goldmark.org; h=
	content-type:mime-version:subject:from:in-reply-to:date
	:content-transfer-encoding:message-id:references:to; s=mesmtp;
	 bh=K913WOIHPQR0XeGaiZKNjxoW6yg=; b=aEP+mBLH2+mRn3TvKhjn809y9vNv
	ZKJencNQYgLxuVklezBKLA8VloU4ML6geyeJvlCyPII5sZlMrsPBs2Siwr1M6uFR
	p8kL4L3lbNNVpC3LzGKMa5qaXJgLre7u1yRxvg9G+mQniSxgb1EbqG8/M7qJ/pTC
	t0/kJVg3u99iWNk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:mime-version:subject:from
	:in-reply-to:date:content-transfer-encoding:message-id
	:references:to; s=smtpout; bh=K913WOIHPQR0XeGaiZKNjxoW6yg=; b=Sw
	yPgqG4oVOCzyEyAtf9AC1OsI0L5BGmoaIQCHMxoiIqjQHeGKifUTPBp19yZDYbYK
	y138Rrckd/tAtc2dBpnNJtzWx2RbAL0woItkfEaSoO7PdUmxYsl5sNQB7LjaH5bu
	FFvXdzS/sAnn7ktaQ6ePOweuykIbmlItIvY242lhw=
X-Sasl-enc: apGhc12nnWZ6wQZhCY8TLstu3JIRaOc89MV9caZIys9+ 1361129190
Received: from olympe.ewd.goldmark.org (unknown [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTPA id C344D8E07FA
	for <discussions@password-hashing.net>; Sun, 17 Feb 2013 14:26:30 -0500 (EST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Jeffrey Goldberg <jeffrey@goldmark.org>
In-Reply-To: <5120951F.8000303@bindshell.nl>
Date: Sun, 17 Feb 2013 13:26:27 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Asymmetry [Was: Any "large verifiers" on the panel?]

On 2013-02-17, at 2:30 AM, Jeremi Gosney <epixoip@bindshell.nl> wrote:

> On 2/16/2013 10:45 PM, Jeffrey Goldberg wrote:

>> shouldn't we expect that the same compromises that would get the
>> password hashes would also getat that secret?
>=20
> Correct. You have to assume that if the passwords are compromised, the
> encryption key is as well.

=46rom other responses (cf Marsh Ray) it seems that this really is the
assumption that is in (some) dispute. So here's my thinking on this
now (as opposed to a few hours ago when I posted my response to
Peter Gutmann).

We all know that we are talking about situations in which a server
gets compromised. And in principle, once a system is compromised
it's hard to trust anything about it. But it also seems that a case
can be made for saying that a small secret, which is only every
used for verification, can be protected better than a very large
database that may legitimate uses beyond authentication.

Some notation to make the following easier to talk about (at least
for me).  S is the server. k_S is this secret that S has access to
allowing S to verify passwords quickly instead of slowly. D_S is
the password-hash database.  Let R_k and R_D be the risks of exposure
of k_S and D_S. I'm not sure what units R should be measured in,
but we can leave that aside.

There are arguments that in practice R_k is substantially smaller
than R_D.  k_S is a small secret D_S is a big secret, so k_S can
be kept on an HSM.  D_S will be backed-up in less secure places
than k_S; There will be people and systems in the organization that
need access to D_S who will not need access to k_S.

We already assume that a compromise of S is not complete. After all
if S is completely compromised during a period of time, then client
credentials could simply be sniffed prior to verification.

Furthermore, there is uncertainty about R_D and R_k, and those risks
will change over time. Even if we argue today that R_k is isn't
substantially smaller than R_D, we don't know that that will remain
true tomorrow. New techniques (and attacks) for managing k_S will
emerge.

On the other hand, it is hard to get nice security proofs under
conditions of a compromised server.

Cheers,

-j










From patrick@patrickmn.com  Dim fÃ©v 17 19:46:34 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 13772 invoked by uid 89); 17 Feb 2013 19:46:34 -0000
Received: by simscan 1.4.0 ppid: 13765, pid: 13767, t: 0.3611s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wi0-f170.google.com) (209.85.212.170)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 17 Feb 2013 19:46:33 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.170 as permitted sender)
Received: by mail-wi0-f170.google.com with SMTP id hm11so3005330wib.5
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 11:46:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=KyR4O4QpUU9+p2gUrrCFi+CI6GU4g4e3nAS2sbqBA6s=;
        b=aNBVPtnSDSwcTZT5aittYLHl6jH3XwrBv/9cCJnO50xuhBkRjG5aqBT2aiUjIv0j6u
         us/ksxNEhiiJkAJRk2Xz6NXjNt03FfEjUxLJJRpivY2OKo8olHQXjuSVgjahLT0clg77
         wP1njbHCRzIcKqoypcYThGSjTVh6qWS1WA+MM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=KyR4O4QpUU9+p2gUrrCFi+CI6GU4g4e3nAS2sbqBA6s=;
        b=MSfwL5uGAMPJ/gXeLwDH73jUba6Ixo5bHSp6RDmZMSf1fqoGwalZS7Jp4YWMINOgKh
         Nj+jFyyN/rGrnebuoAmPdL3MI3znargkR4y68cX3fEk6DDYXdXQMLvmBpYoAdPS1Zi/1
         Q9qo9WzfzNG3kIxn4ddpSyfE/iWpTflvKlZI34k3RBgU3IMsLh6pF4Eaj0zgUuT9FRZA
         +xAA9vxItL8y/0vM6GGoU2GUOi2vXZjPTZHIy9Qha7ZxiC5C6x+tWOLH45RTJ2RpO/5g
         d9BwDptk/3UYUu2AKbGQJHe49wK8Ml3xv0NcgdqK7vOuYCvYuJLStk/t8W8Ydy4X71ea
         /y1g==
MIME-Version: 1.0
X-Received: by 10.180.97.166 with SMTP id eb6mr16102529wib.20.1361130392982;
 Sun, 17 Feb 2013 11:46:32 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Sun, 17 Feb 2013 11:46:32 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org>
Date: Sun, 17 Feb 2013 20:46:32 +0100
Message-ID: <CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: Jeffrey Goldberg <jeffrey@goldmark.org>
Cc: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=f46d0443066491167e04d5f0dd6a
X-Gm-Message-State: ALoCoQkGeMCf0MRUqjJBu4KtEXQoOhg+soJ5SZD5bsUjqU6P9IZ7HR1hZ5HWAkq2W5JjIoNS6h1T
Subject: Re: [PHC] Asymmetry [Was: Any "large verifiers" on the panel?]

--f46d0443066491167e04d5f0dd6a
Content-Type: text/plain; charset=UTF-8

>From a practical perspective, I'm highly skeptical that most users would
actually store such a secret differently/out of reach of an attacker. If
you've compromised the server, you almost certainly have access to any
secrets. Online attacks are problematic, but offline attacks are far worse.
If a scheme can't offer a decent amount of protection for the digests of
low-entropy passwords when they (and any secrets) are compromised, then it
is not very good, IMHO. That's not to say that having the ability to
leverage a HSM (if available) to make it even harder wouldn't be great
feature, of course. I just think that will be rare.

One notable exception to this that I can think of is if you e.g. have some
(possibly global) secret which is loaded from e.g. disk instead of the
database--then attackers who are only able to leverage a SQL injection
vulnerability would not be able to do much with the salt+digests from the
database.


On Sun, Feb 17, 2013 at 8:26 PM, Jeffrey Goldberg <jeffrey@goldmark.org>wrote:

> On 2013-02-17, at 2:30 AM, Jeremi Gosney <epixoip@bindshell.nl> wrote:
>
> > On 2/16/2013 10:45 PM, Jeffrey Goldberg wrote:
>
> >> shouldn't we expect that the same compromises that would get the
> >> password hashes would also getat that secret?
> >
> > Correct. You have to assume that if the passwords are compromised, the
> > encryption key is as well.
>
> From other responses (cf Marsh Ray) it seems that this really is the
> assumption that is in (some) dispute. So here's my thinking on this
> now (as opposed to a few hours ago when I posted my response to
> Peter Gutmann).
>
> We all know that we are talking about situations in which a server
> gets compromised. And in principle, once a system is compromised
> it's hard to trust anything about it. But it also seems that a case
> can be made for saying that a small secret, which is only every
> used for verification, can be protected better than a very large
> database that may legitimate uses beyond authentication.
>
> Some notation to make the following easier to talk about (at least
> for me).  S is the server. k_S is this secret that S has access to
> allowing S to verify passwords quickly instead of slowly. D_S is
> the password-hash database.  Let R_k and R_D be the risks of exposure
> of k_S and D_S. I'm not sure what units R should be measured in,
> but we can leave that aside.
>
> There are arguments that in practice R_k is substantially smaller
> than R_D.  k_S is a small secret D_S is a big secret, so k_S can
> be kept on an HSM.  D_S will be backed-up in less secure places
> than k_S; There will be people and systems in the organization that
> need access to D_S who will not need access to k_S.
>
> We already assume that a compromise of S is not complete. After all
> if S is completely compromised during a period of time, then client
> credentials could simply be sniffed prior to verification.
>
> Furthermore, there is uncertainty about R_D and R_k, and those risks
> will change over time. Even if we argue today that R_k is isn't
> substantially smaller than R_D, we don't know that that will remain
> true tomorrow. New techniques (and attacks) for managing k_S will
> emerge.
>
> On the other hand, it is hard to get nice security proofs under
> conditions of a compromised server.
>
> Cheers,
>
> -j
>
>
>
>
>
>
>
>
>
>

--f46d0443066491167e04d5f0dd6a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">From a practical perspective, I&#39;m highly skeptical tha=
t most users would actually store such a secret differently/out of reach of=
 an attacker. If you&#39;ve compromised the server, you almost certainly ha=
ve access to any secrets.=C2=A0Online attacks are problematic, but offline =
attacks are far worse. If a scheme can&#39;t offer a decent amount of prote=
ction for the digests of low-entropy passwords when they (and any secrets) =
are compromised, then it is not very good, IMHO.=C2=A0That&#39;s not to say=
 that having the ability to leverage a HSM (if available) to make it even h=
arder wouldn&#39;t be great feature, of course. I just think that will be r=
are.<div>
<br></div><div>One notable exception to this that I can think of is if you =
e.g. have some (possibly global) secret which is loaded from e.g. disk inst=
ead of the database--then attackers who are only able to leverage a SQL inj=
ection vulnerability would not be able to do much with the salt+digests fro=
m the database.</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Sun,=
 Feb 17, 2013 at 8:26 PM, Jeffrey Goldberg <span dir=3D"ltr">&lt;<a href=3D=
"mailto:jeffrey@goldmark.org" target=3D"_blank">jeffrey@goldmark.org</a>&gt=
;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">On 2013-02-17, at 2:30 AM, Jeremi Gosney &lt=
;<a href=3D"mailto:epixoip@bindshell.nl">epixoip@bindshell.nl</a>&gt; wrote=
:<br>

<br>
&gt; On 2/16/2013 10:45 PM, Jeffrey Goldberg wrote:<br>
<br>
&gt;&gt; shouldn&#39;t we expect that the same compromises that would get t=
he<br>
&gt;&gt; password hashes would also getat that secret?<br>
&gt;<br>
&gt; Correct. You have to assume that if the passwords are compromised, the=
<br>
&gt; encryption key is as well.<br>
<br>
>From other responses (cf Marsh Ray) it seems that this really is the<br>
assumption that is in (some) dispute. So here&#39;s my thinking on this<br>
now (as opposed to a few hours ago when I posted my response to<br>
Peter Gutmann).<br>
<br>
We all know that we are talking about situations in which a server<br>
gets compromised. And in principle, once a system is compromised<br>
it&#39;s hard to trust anything about it. But it also seems that a case<br>
can be made for saying that a small secret, which is only every<br>
used for verification, can be protected better than a very large<br>
database that may legitimate uses beyond authentication.<br>
<br>
Some notation to make the following easier to talk about (at least<br>
for me). =C2=A0S is the server. k_S is this secret that S has access to<br>
allowing S to verify passwords quickly instead of slowly. D_S is<br>
the password-hash database. =C2=A0Let R_k and R_D be the risks of exposure<=
br>
of k_S and D_S. I&#39;m not sure what units R should be measured in,<br>
but we can leave that aside.<br>
<br>
There are arguments that in practice R_k is substantially smaller<br>
than R_D. =C2=A0k_S is a small secret D_S is a big secret, so k_S can<br>
be kept on an HSM. =C2=A0D_S will be backed-up in less secure places<br>
than k_S; There will be people and systems in the organization that<br>
need access to D_S who will not need access to k_S.<br>
<br>
We already assume that a compromise of S is not complete. After all<br>
if S is completely compromised during a period of time, then client<br>
credentials could simply be sniffed prior to verification.<br>
<br>
Furthermore, there is uncertainty about R_D and R_k, and those risks<br>
will change over time. Even if we argue today that R_k is isn&#39;t<br>
substantially smaller than R_D, we don&#39;t know that that will remain<br>
true tomorrow. New techniques (and attacks) for managing k_S will<br>
emerge.<br>
<br>
On the other hand, it is hard to get nice security proofs under<br>
conditions of a compromised server.<br>
<br>
Cheers,<br>
<br>
-j<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></div><br></div>

--f46d0443066491167e04d5f0dd6a--

From maray@microsoft.com  Dim fÃ©v 17 20:43:22 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 16262 invoked by uid 89); 17 Feb 2013 20:43:22 -0000
Received: by simscan 1.4.0 ppid: 16256, pid: 16258, t: 1.0707s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-bl2-obe.outbound.protection.outlook.com) (unknown@65.55.169.26)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 17 Feb 2013 20:43:21 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfb.frontbridge.com designates 65.55.169.26 as permitted sender)
Received: from BL2FFO11FD006.protection.gbl (10.173.161.202) by
 BL2FFO11HUB038.protection.gbl (10.173.160.242) with Microsoft SMTP Server
 (TLS) id 15.0.620.12; Sun, 17 Feb 2013 20:43:07 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Sun, 17 Feb 2013 20:43:06
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id
 14.02.0318.003; Sun, 17 Feb 2013 20:43:05 +0000
From: Marsh Ray <maray@microsoft.com>
To: Steve Thomas <steve@tobtu.com>, "discussions@password-hashing.net"
	<discussions@password-hashing.net>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8XUUAgAC1qGCAAA7LgIAAd8hggAAYk4CAAM4Q4A==
Date: Sun, 17 Feb 2013 20:43:04 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
 <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <512015B3.3030705@bindshell.nl>
 <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com>
In-Reply-To: <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(24454001)(377454001)(199002)(51704002)(189002)(65816001)(74502001)(47446002)(77982001)(59766001)(5343645001)(31966008)(79102001)(66066001)(80022001)(44976002)(47776003)(54356001)(23676001)(46102001)(53806001)(551544001)(54316002)(74662001)(50466001)(5343635001)(56816002)(49866001)(47736001)(33656001)(56776001)(16406001)(47976001)(63696002)(50986001)(55846006)(20776003)(4396001)(51856001)(76482001);DIR:OUT;SFP:;SCL:1;SRVR:BL2FFO11HUB038;H:TK5EX14HUBC103.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07607ED19A
Subject: RE: [PHC] Different cost settings and optional input

RnJvbTogU3RldmUgVGhvbWFzIFttYWlsdG86c3RldmVAdG9idHUuY29tXSANClNlbnQ6IFN1bmRh
eSwgRmVicnVhcnkgMTcsIDIwMTMgMjowMyBBTQ0KVG86IGRpc2N1c3Npb25zQHBhc3N3b3JkLWhh
c2hpbmcubmV0DQpTdWJqZWN0OiBSRTogW1BIQ10gRGlmZmVyZW50IGNvc3Qgc2V0dGluZ3MgYW5k
IG9wdGlvbmFsIGlucHV0Ni41OA0KDQpPbiBGZWJydWFyeSAxNywgMjAxMyBhdCAxOjE4IEFNIE1h
cnNoIFJheSA8bWFyYXlAbWljcm9zb2Z0LmNvbT4gd3JvdGU6IA0KPg0KPiAgNiw0NTgsMDIwIHVu
aXF1ZSBTSEExcyB3ZXJlIGxlYWtlZCBmcm9tIExpbmtlZEluLiBTbyBsZXQncyBhc3N1bWUgeW91
IGFyZSByaWdodCBvbiA1MCUgY3JhY2tlZCBpbiBvbmUgbWludXRlLiBJZiBpdCB3YXMgcHJvcGVy
bHkgc2FsdGVkIHRoZSBiZXN0IGNhc2UgaXMgaXQgd2lsbCB0YWtlIDMsMjI5LDAxMCBtaW51dGVz
ICg2LDQ1OCwwMjAgKiA1MCUpIG9yIGFib3V0IHNpeCB5ZWFycy4gR3JhbnRlZCBjcmFja2VycyB3
b3VsZCBiZSBzbWFydGVyIG9uIHRoZWlyIGd1ZXNzZXMgc28gaXQgd291bGQgYmUgbGVzcyB0aGFu
IHNpeCB5ZWFycyB0byBjcmFjayA1MCUuDQoNCjUwJSBvZiB0aGUgdXNlcnMgc2VsZWN0ZWQgb25l
IG9mIHRoZSBOXzUwIG1vc3QgY29tbW9uIHBhc3N3b3Jkcy4gSSdtIGd1ZXNzaW5nIE5fNTAgaXMg
d2VsbCB1bmRlciAxMDAsMDAwLg0KDQpTbyBhbiBhdHRhY2tlciB3aG8gd2FzIGFmdGVyIHRoZSBt
b3N0IG51bWJlciBvZiBwYXNzd29yZHMgd291bGQgdHJ5IHRoZSBtb3N0IGNvbW1vbiBOXzUwIGFn
YWluc3QgZWFjaCBoYXNoIGluIHR1cm4uDQoNCk5fNTAgPSAxMDAsMDAwDQoNCkF0dGFja2VyIEhw
cyA9IDEwZTkgc2hhMS9zDQoNCk5vdCBzYWx0ZWQ6IE5fNTAgc2hhMSAvIEhwcyA9IDEwIG1zIHRv
IGNyYWNrIDUwJSBvZiBwYXNzd29yZHMNCg0KU2FsdGVkOiBOXzUwKjY0NTgwMjAgPSA2NS44ZTkg
c2hhMSAvIEhwcyA9IDYuNTggcyB0byBjcmFjayA1MCUgb2YgcGFzc3dvcmRzIChwbHVzIDEwIG1z
IHRvIGJ1aWxkIHRoZSBkaWN0aW9uYXJ5KQ0KDQpTbyBzYWx0aW5nIG1lYW5zIHRoZSBzaW5nbGUt
R1BVIGF0dGFja2VyIHJlcXVpcmVzIDYuNTggcyBpbnN0ZWFkIG9mIDEwIG1zLg0KDQpBbSBJIHdy
b25nIGluIG15IGVzdGltYXRlIG9mIE5fNTA/IEkgZ290IHRoZSBpbXByZXNzaW9uIGZyb20gcHJl
dmlvdXMgYnJlYWNoZXMgdGhhdCBpdCB3YXMgdHlwaWNhbGx5IG1vcmUgbGlrZSAxMCwwMDAuIFdo
YXQgYW0gSSBtaXNzaW5nPw0KDQotIE1hcnNoDQoNCg==

From steve@tobtu.com  Dim fÃ©v 17 22:35:37 2013 +0000
Return-Path: <steve@tobtu.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 21325 invoked by uid 89); 17 Feb 2013 22:35:37 -0000
Received: by simscan 1.4.0 ppid: 21316, pid: 21319, t: 0.5220s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mout.perfora.net) (74.208.4.194)
  by qmailtoaster.cryptyx.com with SMTP; 17 Feb 2013 22:35:37 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at tobtu.com does not designate permitted sender hosts)
Received: from oxuslxltgw04.lxa.perfora.net (oxuslxltgw04.lxa.perfora.net [172.19.206.6])
	by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis)
	id 0Lq9c0-1UkvMU3ZGy-00eEXn; Sun, 17 Feb 2013 17:35:34 -0500
Date: Sun, 17 Feb 2013 16:35:34 -0600 (CST)
From: Steve Thomas <steve@tobtu.com>
Reply-To: Steve Thomas <steve@tobtu.com>
To: discussions@password-hashing.net
Message-ID: <864334016.1013891.1361140534785.JavaMail.open-xchange@email.1and1.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com> <512015B3.3030705@bindshell.nl> <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com> <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com> <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_1013890_1930192914.1361140534742"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v6.20.7-Rev8
X-Provags-ID: V02:K0:ydxu8I8bpa09Fue7pJ+8Iv62Ty0Sv/VmZaDHpfgXu3h
 dXVRq1S3x1BsE76KFy/ef1VH7GNJQQVrRuQnj+ZjJSiCojQ5lQ
 BiNtVPq9fuVQfFL6GSS7h4/FcY+NH1/f9Ypm4qir8BPg6T7gQQ
 07og0CCdPz1eKMu3AflVgmyzrj7qpw1YSGBht52Mk2zLpbFEso
 7Inv7Iq1dEY7ZSq7mi2JOCxpfdbplh39ebLl1Y6+glDZKUCUL+
 pUP7rdINX9KCjQ7eY6L7JXWAybLlStN7d4Wu/sCR+VuZ7cbC2S
 2JwbbCw4AuAOc5aDE13AQwOEXr5YNWkq0JlGKlZCwzcwyWnrrj
 NuWml90ZZj0n2CdfV8oxNemgBCdeX7YR1DKYDD3E5ZBMJmg+M0
 3mP6tbGvmBdnJ1S1y3hPVhbd34/d8M5IoO/8Hph5LkhwKJymMe
 PQ7bk
Subject: RE: [PHC] Different cost settings and optional input

------=_Part_1013890_1930192914.1361140534742
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit


On February 17, 2013 at 2:43 PM Marsh Ray <maray@microsoft.com> wrote:
> From: Steve Thomas [mailto:steve@tobtu.com]
> Sent: Sunday, February 17, 2013 2:03 AM
> To: discussions@password-hashing.net
> Subject: RE: [PHC] Different cost settings and optional input6.58
>
> On February 17, 2013 at 1:18 AM Marsh Ray <maray@microsoft.com> wrote:
> >
> > 6,458,020 unique SHA1s were leaked from LinkedIn. So let's assume you are
> > right on 50% cracked in one minute. If it was properly salted the best case
> > is it will take 3,229,010 minutes (6,458,020 * 50%) or about six years.
> > Granted crackers would be smarter on their guesses so it would be less than
> > six years to crack 50%.
>
> 50% of the users selected one of the N_50 most common passwords. I'm guessing
> N_50 is well under 100,000.
>
> So an attacker who was after the most number of passwords would try the most
> common N_50 against each hash in turn.
>
> N_50 = 100,000
>
> Attacker Hps = 10e9 sha1/s
>
> Not salted: N_50 sha1 / Hps = 10 ms to crack 50% of passwords
>
> Salted: N_50*6458020 = 65.8e9 sha1 / Hps = 6.58 s to crack 50% of passwords
> (plus 10 ms to build the dictionary)
>
> So salting means the single-GPU attacker requires 6.58 s instead of 10 ms.
>
> Am I wrong in my estimate of N_50? I got the impression from previous breaches
> that it was typically more like 10,000. What am I missing?
>
> - Marsh
>
Actually we're both wrong. There are 175 million users at the time of the break
in. There are 5,787,239 unique hashes that were released (once you remove the
first 8 characters of the hash because some hashes had their first 8 characters
zeroed out).

N_50 = 100,000
speed = 1 billion/s

unsalted: 0.1 ms (100,000 / 10^9)
salted: between 4 hrs 52 min and 2 hrs 26 min (175,000,000 * 100,000 / 10^9 to
175,000,000 / 2 * 100,000 / 10^9)
------=_Part_1013890_1930192914.1361140534742
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
 </head><body style="">
 
 
  <div>
   <br/>On February 17, 2013 at 2:43 PM Marsh Ray &#60;maray@microsoft.com&#62; wrote:
   <br/>&#62; From: Steve Thomas [mailto:steve@tobtu.com] 
   <br/>&#62; Sent: Sunday, February 17, 2013 2:03 AM
   <br/>&#62; To: discussions@password-hashing.net
   <br/>&#62; Subject: RE: [PHC] Different cost settings and optional input6.58
   <br/>&#62; 
   <br/>&#62; On February 17, 2013 at 1:18 AM Marsh Ray &#60;maray@microsoft.com&#62; wrote: 
   <br/>&#62; &#62;
   <br/>&#62; &#62; 6,458,020 unique SHA1s were leaked from LinkedIn. So let&#39;s assume you are right on 50% cracked in one minute. If it was properly salted the best case is it will take 3,229,010 minutes (6,458,020 * 50%) or about six years. Granted crackers would be smarter on their guesses so it would be less than six years to crack 50%.
   <br/>&#62; 
   <br/>&#62; 50% of the users selected one of the N_50 most common passwords. I&#39;m guessing N_50 is well under 100,000.
   <br/>&#62; 
   <br/>&#62; So an attacker who was after the most number of passwords would try the most common N_50 against each hash in turn.
   <br/>&#62; 
   <br/>&#62; N_50 = 100,000
   <br/>&#62; 
   <br/>&#62; Attacker Hps = 10e9 sha1/s
   <br/>&#62; 
   <br/>&#62; Not salted: N_50 sha1 / Hps = 10 ms to crack 50% of passwords
   <br/>&#62; 
   <br/>&#62; Salted: N_50*6458020 = 65.8e9 sha1 / Hps = 6.58 s to crack 50% of passwords (plus 10 ms to build the dictionary)
   <br/>&#62; 
   <br/>&#62; So salting means the single-GPU attacker requires 6.58 s instead of 10 ms.
   <br/>&#62; 
   <br/>&#62; Am I wrong in my estimate of N_50? I got the impression from previous breaches that it was typically more like 10,000. What am I missing?
   <br/>&#62; 
   <br/>&#62; - Marsh
   <br/>&#62; 
  </div> 
  <div>
   Actually we&#39;re both wrong. There are 175 million users at the time of the break in. There are 5,787,239 unique hashes that were released (once you remove the first 8 characters of the hash because some hashes had their first 8 characters zeroed out).
  </div> 
  <div>
   &#160;
  </div> 
  <div>
   N_50 = 100,000
  </div> 
  <div>
   speed = 1 billion/s
  </div> 
  <div>
   &#160;
  </div> 
  <div>
   unsalted: 0.1 ms (100,000 / 10^9)
  </div> 
  <div>
   salted: between 4 hrs 52 min and 2 hrs 26 min (175,000,000 * 100,000 / 10^9 to 175,000,000 / 2 * 100,000 / 10^9)
  </div>
 
</body></html>
------=_Part_1013890_1930192914.1361140534742--

From maray@microsoft.com  Lun fÃ©v 18 00:02:17 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 25187 invoked by uid 89); 18 Feb 2013 00:02:17 -0000
Received: by simscan 1.4.0 ppid: 25181, pid: 25183, t: 0.9846s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-bl2-obe.outbound.protection.outlook.com) (unknown@65.55.169.26)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 18 Feb 2013 00:02:16 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfb.frontbridge.com designates 65.55.169.26 as permitted sender)
Received: from BL2FFO11FD005.protection.gbl (10.173.161.200) by
 BL2FFO11HUB012.protection.gbl (10.173.161.118) with Microsoft SMTP Server
 (TLS) id 15.0.620.12; Mon, 18 Feb 2013 00:02:01 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD005.mail.protection.outlook.com (10.173.161.1) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Mon, 18 Feb 2013 00:02:00
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id
 14.02.0318.003; Mon, 18 Feb 2013 00:01:59 +0000
From: Marsh Ray <maray@microsoft.com>
To: Steve Thomas <steve@tobtu.com>, "discussions@password-hashing.net"
	<discussions@password-hashing.net>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8XUUAgAC1qGCAAA7LgIAAd8hggAAYk4CAAM4Q4IAAJZ8AgAAOr+A=
Date: Mon, 18 Feb 2013 00:01:59 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09037114@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
 <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <512015B3.3030705@bindshell.nl>
 <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com>
 <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <864334016.1013891.1361140534785.JavaMail.open-xchange@email.1and1.com>
In-Reply-To: <864334016.1013891.1361140534785.JavaMail.open-xchange@email.1and1.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(199002)(189002)(51704002)(54356001)(47976001)(50986001)(74662001)(54316002)(66066001)(76482001)(79102001)(33656001)(46102001)(47776003)(63696002)(44976002)(20776003)(56816002)(59766001)(65816001)(31966008)(55846006)(561924001)(53806001)(47446002)(16406001)(551544001)(23676001)(74502001)(4396001)(77982001)(49866001)(47736001)(50466001)(80022001)(51856001)(56776001);DIR:OUT;SFP:;SCL:1;SRVR:BL2FFO11HUB012;H:TK5EX14HUBC103.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0761DE1EDD
Subject: RE: [PHC] Different cost settings and optional input

RnJvbTogU3RldmUgVGhvbWFzIFttYWlsdG86c3RldmVAdG9idHUuY29tXSANCj4NCj4gQWN0dWFs
bHkgd2UncmUgYm90aCB3cm9uZy4gVGhlcmUgYXJlIDE3NSBtaWxsaW9uIHVzZXJzIGF0IHRoZSB0
aW1lDQo+IG9mIHRoZSBicmVhayBpbi4gVGhlcmUgYXJlIDUsNzg3LDIzOSB1bmlxdWUgaGFzaGVz
IHRoYXQgd2VyZQ0KPiByZWxlYXNlZA0KDQpEbyB3ZSBrbm93IGlmIHRoZSByZWxlYXNlZCB1bmlx
dWUgaGFzaGVzIHJlcHJlc2VudGVkIGFsbCB0aGUgdW5pcXVlIGhhc2hlcyBvZiB0aGUgMTc1IG1p
bGxpb24/DQoNClRoYXQgd291bGQgaW1wbHkgdGhhdCBOXzk3ID1+IDUuOGU2LiBJLmUuLCA5Ni43
JSBvZiB1c2VycyBjaG9zZSBvbmUgb2YgdGhlIDUuNyBtaWxsaW9uIG1vc3QgY29tbW9uIHBhc3N3
b3Jkcy4NCg0KPiAob25jZSB5b3UgcmVtb3ZlIHRoZSBmaXJzdCA4IGNoYXJhY3RlcnMgb2YgdGhl
IGhhc2ggYmVjYXVzZSBzb21lDQo+IGhhc2hlcyBoYWQgdGhlaXIgZmlyc3QgOCBjaGFyYWN0ZXJz
IHplcm9lZCBvdXQpLg0KDQpEaWQgdGhvc2UgdHVybiBvdXQgdG8gYmUgdGhlIGVhc2llc3QgdG8g
YnJlYWs/IFRoZXJlIHdhcyBzcGVjdWxhdGlvbiB0aGF0IGF0dGFja2VycyBoYWQgemVyb2VkIG91
dCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBvbmVzIHRoZXknZCBiZWVuIGFibGUgdG8gYnJlYWsuDQoN
Cj4gTl81MCA9IDEwMCwwMDANCj4gc3BlZWQgPSAxIGJpbGxpb24vcw0KPg0KPiB1bnNhbHRlZDog
MC4xIG1zICgxMDAsMDAwIC8gMTBeOSkNCj4gc2FsdGVkOiBiZXR3ZWVuIDQgaHJzIDUyIG1pbiBh
bmQgMiBocnMgMjYgbWluICgxNzUsMDAwLDAwMCAqIDEwMCwwMDAgLyAxMF45IHRvIDE3NSwwMDAs
MDAwIC8gMiAqIDEwMCwwMDAgLyAxMF45KSANCg0KU28sIGF0IGxlYXN0IGluIHRoZSBhYnNlbmNl
IG9mIGEgbWVhbmluZ2Z1bCB3b3JrIGZhY3Rvciwgd2UgY2FuIGNvbmNsdWRlOg0KDQoxLiBJZiB0
aGUgYXR0YWNrZXIgaXMgdGFyZ2V0aW5nIGEgc3BlY2lmaWMgdXNlciBvciBzbWFsbCBzZXQgb2Yg
dXNlcihzKSwgc2FsdCBkb2Vzbid0IGhlbHAgbXVjaCBhdCBhbGwuDQoNCjIuIElmIHRoZSBhdHRh
Y2tlciBpcyBoYXBweSB3aXRoIG1lcmVseSB0aGUgbWFqb3JpdHkgb2YgcGFzc3dvcmRzLCBzYWx0
IGRvZXNuJ3QgaGVscCBtdWNoIGF0IGFsbCBlaXRoZXIuDQoNCkl0IHNlZW1zIGxpa2UgdGhlIG1h
aW4gdGhpbmcgdGhhdCBzYWx0aW5nIGlzIGdvb2QgZm9yIGlzIGdpdmluZyB0aGUgdXNlcnMgd2l0
aCB0aGUgbW9zdC1zZWN1cmUgcGFzc3dvcmRzIGEgZmV3IGhvdXJzIG9yIGRheXMgdG8gY2hhbmdl
IHRoZWlyIHBhc3N3b3JkIGJlZm9yZSBpdCBpcyBjcmFja2VkLCBhc3N1bWluZyB0aGUgc2Vydmlj
ZSBkZXRlY3RlZCB0aGUgYnJlYWNoIGFuZCBub3RpZmllZCBpdHMgdXNlcnMgaW1tZWRpYXRlbHku
DQoNCi0gTWFyc2gNCg0K

From maray@microsoft.com  Lun fÃ©v 18 00:07:08 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 25437 invoked by uid 89); 18 Feb 2013 00:07:08 -0000
Received: by simscan 1.4.0 ppid: 25431, pid: 25433, t: 0.2555s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-bl2-obe.outbound.protection.outlook.com) (unknown@65.55.169.32)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 18 Feb 2013 00:07:08 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfb.frontbridge.com designates 65.55.169.32 as permitted sender)
Received: from BL2FFO11FD025.protection.gbl (10.173.161.204) by
 BL2FFO11HUB029.protection.gbl (10.173.161.53) with Microsoft SMTP Server
 (TLS) id 15.0.620.12; Mon, 18 Feb 2013 00:06:54 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD025.mail.protection.outlook.com (10.173.161.104) with Microsoft
 SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Mon, 18 Feb 2013
 00:06:53 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id
 14.02.0318.003; Mon, 18 Feb 2013 00:06:52 +0000
From: Marsh Ray <maray@microsoft.com>
To: Marsh Ray <maray@microsoft.com>, Steve Thomas <steve@tobtu.com>,
	"discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Different cost settings and optional input
Thread-Index: AQHODDf2ibioHMamr0O0QaBrexsptJh8XUUAgAC1qGCAAA7LgIAAd8hggAAYk4CAAM4Q4IAAJZ8AgAAOr+CAAAoMgA==
Date: Mon, 18 Feb 2013 00:06:52 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E09037128@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com>
 <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com>
 <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <512015B3.3030705@bindshell.nl>
 <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com>
 <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com>
 <864334016.1013891.1361140534785.JavaMail.open-xchange@email.1and1.com>
 <218AE73F98E99C4C98AF7D5166AA798E09037114@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09037114@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(189002)(199002)(13464002)(20776003)(16406001)(47776003)(65816001)(80022001)(46102001)(66066001)(63696002)(44976002)(551544001)(56776001)(33656001)(31966008)(74502001)(47446002)(74662001)(1511001)(54316002)(56816002)(23676001)(79102001)(76482001)(55846006)(4396001)(47976001)(50986001)(49866001)(50466001)(47736001)(59766001)(54356001)(51856001)(53806001)(77982001);DIR:OUT;SFP:;SCL:1;SRVR:BL2FFO11HUB029;H:TK5EX14HUBC103.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;MX:1;A:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0761DE1EDD
Subject: RE: [PHC] Different cost settings and optional input

PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBNYXJzaCBSYXkgW21haWx0bzpt
YXJheUBtaWNyb3NvZnQuY29tXQ0KPiBUaGF0IHdvdWxkIGltcGx5IHRoYXQgTl85NyA9fiA1Ljhl
Ni4gSS5lLiwgOTYuNyUgb2YgdXNlcnMgY2hvc2Ugb25lIG9mIHRoZQ0KPiA1LjcgbWlsbGlvbiBt
b3N0IGNvbW1vbiBwYXNzd29yZHMuDQoNCk5vLCBzb3JyeSwgdGhhdCdzIHdvbmcuIEl0IHdvdWxk
IGltcGx5IDEwMCUgb2YgdXNlcnMgY2hvc2Ugb25lIG9mIHRoZSA1LjdlNiBtb3N0IGNvbW1vbiBh
bmQgOTYuNyUgb2YgdXNlcnMgY2hvc2Ugb25lIHRoYXQgd2FzIGFscmVhZHkgaW4gdXNlLg0KDQot
IE1hcnNoDQoNCg==

From dfoxfranke@gmail.com  Lun fÃ©v 18 00:25:38 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 26180 invoked by uid 89); 18 Feb 2013 00:25:38 -0000
Received: by simscan 1.4.0 ppid: 26174, pid: 26176, t: 0.2507s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ve0-f182.google.com) (209.85.128.182)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 00:25:38 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.182 as permitted sender)
Received: by mail-ve0-f182.google.com with SMTP id ox1so4464569veb.41
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 16:25:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version:content-type;
        bh=3tV9whzBfkeuazzxEyjcgZAzC2PK64gPFHMbSzI/M64=;
        b=FCJ3xXwNMSWwUP6PgG0V5CwbUNA/BXPkA2bjiOhpnkjo1EFrFZG3bvcdwd+hLZnB/+
         A3NTfbKZR1nxdWjT5/C7QbEKk6VLVUQeORraYots3ztve7HgSvPx3iHdNc7BNKr9VzNW
         hRug2rHnK167J0xBSK3HiRqVZD45AKm0RTgM5Ygt9Wp5Kcjfmm2WYI/C4HMBczD6qcTe
         PyPdjkd/4oCd6+OQUnKcp11LRstvypD4ABisT2OL5rrmo2swfTlKD9a57mET3rvszM0e
         2Sqjub0C0JMmwoJrv38ipX3D2Oc1mkllSFzAY2/YfqX6UGszfVNAvYhs2+1TAzUnYTVA
         kGHA==
X-Received: by 10.220.241.141 with SMTP id le13mr13023436vcb.26.1361147136593;
        Sun, 17 Feb 2013 16:25:36 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id ly6sm93243737veb.3.2013.02.17.16.25.34
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Sun, 17 Feb 2013 16:25:35 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: Jeremi Gosney <epixoip@bindshell.nl>
Cc: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
Date: Sun, 17 Feb 2013 19:25:33 -0500
In-Reply-To: <5120951F.8000303@bindshell.nl> (Jeremi Gosney's message of "Sun,
	17 Feb 2013 00:30:23 -0800")
Message-ID: <87txpaii2q.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Any "large verifiers" on the panel?

Jeremi Gosney <epixoip@bindshell.nl> writes:

> You have to assume that if the passwords are compromised, the
> encryption key is as well.

I'm with all those who say that we shouldn't be granting this
assumption. An adversary who has completely compromised a web server
doesn't have to bother cracking password hashes at all. He can just
capture unhashed passwords as they arrive over the wire. If we aren't
completely wasting our time having this competition, then we should
absolutely be thinking about what constitutes a realistic model of
common partial-compromise scenarios, and what features we can add to a
password-hashing scheme in order to make it more secure in that model.

P.S.: A couple people in this thread have been referencing a message
from Peter Gutmann which doesn't seem to have made it to my inbox. Was
that message sent to this list?

From matthewdgreen@gmail.com  Lun fÃ©v 18 02:00:58 2013 +0000
Return-Path: <matthewdgreen@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 30115 invoked by uid 89); 18 Feb 2013 02:00:57 -0000
Received: by simscan 1.4.0 ppid: 30109, pid: 30111, t: 0.3250s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-ve0-f178.google.com) (209.85.128.178)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 02:00:57 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.178 as permitted sender)
Received: by mail-ve0-f178.google.com with SMTP id db10so4459545veb.9
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 18:00:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:content-type:message-id:mime-version:subject:date
         :references:to:in-reply-to:x-mailer;
        bh=b75phQPsCIcBsV6vDoCQAhkjyf6DbzkJwbE5mrHvERk=;
        b=G0KwQWg/2gClrNn1YYoC7OE1T7QHN4197Cp5xDFeGqWBXBytsMTh8/yQLtSTAwBN05
         cQ3BJsXw3CnKgkQSHL6gihaUsZwnob/sLYWDWMvDkegpyu+LQAWngpPAcbui0+9ns7i1
         5o2c//SPuCfkF5lAKA2wphn5bchgmX6rctv69Ke6MNqzz4E6CAtfVRywsr+n0NZq2Nc3
         I+2Dkt6IoxnglMGwmnaCZYnt+ptzdL/bSHWynAQGnLyrgvx0666pNtTv7R42xEn54v/B
         HTiqaHBhS4GXJorysn9ytz68+kB52pe0DUA9LA493F3ypYD+yM3QRciDEflK/kIICpS7
         Erug==
X-Received: by 10.52.96.163 with SMTP id dt3mr11846707vdb.11.1361152856253;
        Sun, 17 Feb 2013 18:00:56 -0800 (PST)
Received: from [192.168.1.105] (c-76-21-153-251.hsd1.md.comcast.net. [76.21.153.251])
        by mx.google.com with ESMTPS id i17sm11802988vdj.1.2013.02.17.18.00.54
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Sun, 17 Feb 2013 18:00:55 -0800 (PST)
From: Matthew Green <matthewdgreen@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E3C99AE8-5583-435D-93ED-CCFDC0F1D615"
Message-Id: <BA5F08A1-3F23-43CB-A0BE-5FC398CBAA1B@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Date: Sun, 17 Feb 2013 21:00:54 -0500
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org> <CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
To: discussions@password-hashing.net
In-Reply-To: <CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Asymmetry [Was: Any "large verifiers" on the panel?]


--Apple-Mail=_E3C99AE8-5583-435D-93ED-CCFDC0F1D615
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

> =46rom a practical perspective, I'm highly skeptical that most users =
would actually store such a secret differently/out of reach of an =
attacker. If you've compromised the server, you almost certainly have =
access to any secrets. Online attacks are problematic, but offline =
attacks are far worse. If a scheme can't offer a decent amount of =
protection for the digests of low-entropy passwords when they (and any =
secrets) are compromised, then it is not very good, IMHO. That's not to =
say that having the ability to leverage a HSM (if available) to make it =
even harder wouldn't be great feature, of course. I just think that will =
be rare.

I think that HSMs are going to become increasingly common in this area. =
I also think we're going to see an increasing number of clever tricks to =
keep secrets out of the hands of a hacked server. We already have things =
SRP (not that I'm recommending it). I expect to also see simple =
end-to-end encryption of passwords, from browser to an HSM or equivalent =
system. But databases will continue to be the weak link.

You can't do this stuff today because HSMs aren't up to it, and because =
most browsers don't let you do the kind of crypto you want to do at =
login time. I think 5-10 years from now things will have changed a bit.
=20
But I've been wrong before.

Matt=

--Apple-Mail=_E3C99AE8-5583-435D-93ED-CCFDC0F1D615
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><blockquote type=3D"cite"><span style=3D"font-family: Helvetica; =
font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: =
none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: =
inline !important; float: none; ">=46rom a practical perspective, I'm =
highly skeptical that most users would actually store such a secret =
differently/out of reach of an attacker. If you've compromised the =
server, you almost certainly have access to any secrets.&nbsp;Online =
attacks are problematic, but offline attacks are far worse. If a scheme =
can't offer a decent amount of protection for the digests of low-entropy =
passwords when they (and any secrets) are compromised, then it is not =
very good, IMHO.&nbsp;That's not to say that having the ability to =
leverage a HSM (if available) to make it even harder wouldn't be great =
feature, of course. I just think that will be =
rare.</span></blockquote><div><br></div><div>I think that HSMs are going =
to become increasingly common in this area. I also think we're going to =
see an increasing number of clever tricks to keep secrets out of the =
hands of a hacked server. We already have things SRP (not that I'm =
recommending it). I expect to also see simple end-to-end encryption of =
passwords, from browser to an HSM or equivalent system. But databases =
will continue to be the weak link.</div><div><br></div><div>You can't do =
this stuff today because HSMs aren't up to it, and because most browsers =
don't let you do the kind of crypto you want to do at login time. I =
think 5-10 years from now things will have changed a =
bit.</div><div>&nbsp;</div><div>But I've been wrong =
before.</div><div><br></div><div>Matt</div></div></body></html>=

--Apple-Mail=_E3C99AE8-5583-435D-93ED-CCFDC0F1D615--

From steve@tobtu.com  Lun fÃ©v 18 02:06:10 2013 +0000
Return-Path: <steve@tobtu.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 30379 invoked by uid 89); 18 Feb 2013 02:06:10 -0000
Received: by simscan 1.4.0 ppid: 30373, pid: 30375, t: 0.4356s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mout.perfora.net) (74.208.4.195)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 02:06:09 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at tobtu.com does not designate permitted sender hosts)
Received: from oxuslxltgw05.lxa.perfora.net (oxuslxltgw05.lxa.perfora.net [172.19.206.7])
	by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis)
	id 0M1FVw-1V0B5L2aka-00t2Se; Sun, 17 Feb 2013 21:06:07 -0500
Date: Sun, 17 Feb 2013 20:06:07 -0600 (CST)
From: Steve Thomas <steve@tobtu.com>
Reply-To: Steve Thomas <steve@tobtu.com>
To: discussions@password-hashing.net
Message-ID: <145189703.999702.1361153167625.JavaMail.open-xchange@email.1and1.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09037114@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CAJm7-NswdHAeMCdpjfW5+id=gaFn-m7tXOX7kLfrvXd4vD+iPQ@mail.gmail.com> <CAMGhuPFhk4tsmN0h5tcd8cFKhV6teeR9HFfKy4A42ypCP7yVQw@mail.gmail.com> <218AE73F98E99C4C98AF7D5166AA798E09036F40@TK5EX14MBXC286.redmond.corp.microsoft.com> <512015B3.3030705@bindshell.nl> <218AE73F98E99C4C98AF7D5166AA798E09036FB7@TK5EX14MBXC286.redmond.corp.microsoft.com> <1327961774.1027773.1361088203547.JavaMail.open-xchange@email.1and1.com> <218AE73F98E99C4C98AF7D5166AA798E090370DA@TK5EX14MBXC286.redmond.corp.microsoft.com> <864334016.1013891.1361140534785.JavaMail.open-xchange@email.1and1.com> <218AE73F98E99C4C98AF7D5166AA798E09037114@TK5EX14MBXC286.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_999701_1419312997.1361153167583"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v-
X-Provags-ID: V02:K0:Vq1rLOSnWHcTojSGp7n4rk+R65wqYhQjk4BLYhNZ9AL
 PBd7so7cfAQ3U7Gjhnollk1LvnUDzkPGykiGCiUQLIJRZvWAy+
 kK+QFHHpVmlyw+FXPEjIveX0vEWux2my7Ul6GUs5CeWwwBg+Wv
 R+xO0geDXWYk+nduRhUwvKBrBtkcrmC/6BS523zKyjaDSuzZ2/
 exGzrJfLwev/I75l8gm7lRPTnSaAF8VEc98p+nVsnY/zy43wMv
 orJ+j3AFCZu2Oa8EbEojrjIna3lw3aBFj67afWqoIT3Jvh5ty/
 9nEwq/rsr60YBnoLY7Qr6FZEmSyBuc/oRJUftoz2rYhezAmfsG
 Vy+0JaL4e55Sgw6l111ftwNSqr4/vaR7VLw9w0ARaIe6NUhpV7
 c3lHBLlTIchLfKZDr663OB5v8zQ4lD+2OiZpNhAtYjj0VuMTan
 cUkWe
Subject: RE: [PHC] Different cost settings and optional input

------=_Part_999701_1419312997.1361153167583
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit


On February 17, 2013 at 6:01 PM Marsh Ray <maray@microsoft.com> wrote:
> From: Steve Thomas [mailto:steve@tobtu.com]
> >
> > Actually we're both wrong. There are 175 million users at the time
> > of the break in. There are 5,787,239 unique hashes that were
> > released
>
> Do we know if the released unique hashes represented all the unique hashes of
> the 175 million?
> 
My guess is that 13 million account hashes got compromised. I'm going off
RockYou's data (2.2 users/unique password). I thought 30.2 users/unique password
looked a little high.


> > (once you remove the first 8 characters of the hash because some
> > hashes had their first 8 characters zeroed out).
>
> Did those turn out to be the easiest to break? There was speculation that
> attackers had zeroed out the beginning of the ones they'd been able to break.
>
I heard that too, but I don't believe that is the case since there are 670,781
duplicates in the list when you remove the first 8 characters.


> > N_50 = 100,000
> > speed = 1 billion/s
> >
> > unsalted: 0.1 ms (100,000 / 10^9)
> > salted: between 4 hrs 52 min and 2 hrs 26 min (175,000,000 * 100,000 / 10^9
> > to 175,000,000 / 2 * 100,000 / 10^9)
>
> So, at least in the absence of a meaningful work factor, we can conclude:
>
> 1. If the attacker is targeting a specific user or small set of user(s), salt
> doesn't help much at all.
>
True, but salt prevents the use of rainbow tables. Which would help a lot in
recovering a few hashes.
------=_Part_999701_1419312997.1361153167583
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
 </head><body style="">
 
 
  <div>
   <br/>On February 17, 2013 at 6:01 PM Marsh Ray &#60;maray@microsoft.com&#62; wrote:
   <br/>&#62; From: Steve Thomas [mailto:steve@tobtu.com] 
   <br/>&#62; &#62;
   <br/>&#62; &#62; Actually we&#39;re both wrong. There are 175 million users at the time
   <br/>&#62; &#62; of the break in. There are 5,787,239 unique hashes that were
   <br/>&#62; &#62; released
   <br/>&#62; 
   <br/>&#62; Do we know if the released unique hashes represented all the unique hashes of the 175 million?
   <br/>&#62;&#160;
  </div> 
  <div>
   My guess is that 13 million account hashes got compromised. I&#39;m going off RockYou&#39;s data (2.2 users/unique password). I thought 30.2 users/unique password looked a little high.
  </div> 
  <div>
   &#160;
  </div> 
  <div>
   <br/>&#62; &#62; (once you remove the first 8 characters of the hash because some
   <br/>&#62; &#62; hashes had their first 8 characters zeroed out).
   <br/>&#62; 
   <br/>&#62; Did those turn out to be the easiest to break? There was speculation that attackers had zeroed out the beginning of the ones they&#39;d been able to break.
   <br/>&#62;
  </div> 
  <div>
   I heard that too, but I don&#39;t believe that is the case since there are 670,781 duplicates in the list when you remove the first 8 characters.
  </div> 
  <div>
   &#160;
  </div> 
  <div>
   <br/>&#62; &#62; N_50 = 100,000
   <br/>&#62; &#62; speed = 1 billion/s
   <br/>&#62; &#62;
   <br/>&#62; &#62; unsalted: 0.1 ms (100,000 / 10^9)
   <br/>&#62; &#62; salted: between 4 hrs 52 min and 2 hrs 26 min (175,000,000 * 100,000 / 10^9 to 175,000,000 / 2 * 100,000 / 10^9) 
   <br/>&#62; 
   <br/>&#62; So, at least in the absence of a meaningful work factor, we can conclude:
   <br/>&#62; 
   <br/>&#62; 1. If the attacker is targeting a specific user or small set of user(s), salt doesn&#39;t help much at all.
   <br/>&#62;
  </div> 
  <div>
   True, but salt prevents the use of rainbow tables. Which would help a lot in recovering a few hashes.
  </div>
 
</body></html>
------=_Part_999701_1419312997.1361153167583--

From dfoxfranke@gmail.com  Lun fÃ©v 18 02:06:23 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 30481 invoked by uid 89); 18 Feb 2013 02:06:23 -0000
Received: by simscan 1.4.0 ppid: 30475, pid: 30477, t: 0.2808s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ve0-f171.google.com) (209.85.128.171)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 02:06:23 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.171 as permitted sender)
Received: by mail-ve0-f171.google.com with SMTP id b10so4523134vea.30
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 18:06:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:subject:date:message-id:user-agent:mime-version
         :content-type;
        bh=Yl4A0LL1Et88gIBtigZ2ZdnEiMOCyuq8d1Dkg21drzo=;
        b=GSyARG5tCiAn5MxIC3ckEUexubk7TTjT2j2c33K1tf+extTeGK0LwxPam33ZLRfcx+
         XzuviAU4oMdb32rt8vg9nFdDpg9dcM3r8mijm9zu+wmW+nGv44RbSBLguvZ2IGdCPOq6
         3HYoAYbvDdxHBDewqWtHVwdn2O7K6nV1vJ6YrFHWkjROTDSKz6T69xbA2fvmZGvZZMRE
         ym36i+4uysRpE4gZHP06MpoVg1NhVV9bpAvw//68GhB8gMhWZQtOYu19vr9gx6JeAaVg
         zDPwwIHIKib0ye+2JqBKLHjYhJI9ttJoC0BBB98H9EKuxFUfGAzYMmXYj/B8Y0RDG3jx
         96tA==
X-Received: by 10.52.175.66 with SMTP id by2mr12190895vdc.53.1361153182086;
        Sun, 17 Feb 2013 18:06:22 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id i17sm11826703vdj.1.2013.02.17.18.06.20
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Sun, 17 Feb 2013 18:06:21 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
Date: Sun, 17 Feb 2013 21:06:19 -0500
Message-ID: <87halaides.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Archives

I think that all of the following would be good to have available in
order to make sure that none of our discussion gets lost:

1. A mailing list archive.

2. An IRC chat log.

3. An agreed-upon Twitter hashtag. #phc has too many collisions so I
suggest #pwdhc.

From epixoip@bindshell.nl  Lun fÃ©v 18 03:40:20 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 2332 invoked by uid 89); 18 Feb 2013 03:40:19 -0000
Received: by simscan 1.4.0 ppid: 2325, pid: 2328, t: 0.5953s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 03:40:18 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id B393D3C20C0;
	Sun, 17 Feb 2013 19:26:02 -0800 (PST)
Message-ID: <5121A295.2030601@bindshell.nl>
Date: Sun, 17 Feb 2013 19:40:05 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Daniel Franke <dfoxfranke@gmail.com>
CC: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us>
In-Reply-To: <87txpaii2q.fsf@wolfjaw.dfranke.us>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Any "large verifiers" on the panel?

On 2/17/2013 4:25 PM, Daniel Franke wrote:
> Jeremi Gosney <epixoip@bindshell.nl> writes:
>
>> You have to assume that if the passwords are compromised, the
>> encryption key is as well.
> I'm with all those who say that we shouldn't be granting this
> assumption. An adversary who has completely compromised a web server
> doesn't have to bother cracking password hashes at all. He can just
> capture unhashed passwords as they arrive over the wire. If we aren't
> completely wasting our time having this competition, then we should
> absolutely be thinking about what constitutes a realistic model of
> common partial-compromise scenarios

I'm assuming that those who say that we should not be granting this
assumption either are not hackers, or do not have an extensive
background in real-world exploitation and post-exploitation. But that's
okay, because as JP stated, one of the goals of this competition & list
is to bring the academic and non-hacker types together with the
"real-world" types.

We are not assuming a complete compromise (i.e., root access) here.
We're merely assuming an attacker who is able to execute arbitrary code
in the context of the web server or webapp.

SQL injection, remote includes, local includes, and straight RCE flaws
are by and large the biggest ways password hashes are compromised. More
often than not, these vulnerabilities can be leveraged to view arbitrary
files, or in the best case scenario, obtain a shell running under the
context of the httpd or webapp.

A majority of the time, it is not possible to escalate our privileges.
But what we can do is leverage our context to read any files that the
httpd or webapp has permission to read. In the case of something like
encryption, where the webapp has to have access to the key to
encrypt/decrypt passwords, you too have access to the encryption key.

And this is not an uncommon practice; config files and the webapp source
code are among the first places we turn to determine exactly how the
passwords have been hashed or otherwise obfuscated. Even if we dump a
database and see what appear to be raw MD5 hashes, we still go to the
code to verify the exact algorithm used. And if we see that the
passwords were encrypted instead of hashed, we go straight to key. (And
yes, this does actually happen on the rare occasion we find someone who
is naive enough to encrypt passwords.)

The same is true for any secrets that are used. If the webapp has
permission to read them (which of course it does), then we have
permission to read them too, and they are no longer secret.

Regards,
Jeremi

From epixoip@bindshell.nl  Lun fÃ©v 18 04:14:48 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 3750 invoked by uid 89); 18 Feb 2013 04:14:47 -0000
Received: by simscan 1.4.0 ppid: 3741, pid: 3744, t: 0.3690s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 04:14:47 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id 13F493C20C0
	for <discussions@password-hashing.net>; Sun, 17 Feb 2013 20:00:32 -0800 (PST)
Message-ID: <5121AAAC.3090700@bindshell.nl>
Date: Sun, 17 Feb 2013 20:14:36 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org> <CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
In-Reply-To: <CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Asymmetry [Was: Any "large verifiers" on the panel?]

On 2/17/2013 11:46 AM, Patrick Mylund Nielsen wrote:
> One notable exception to this that I can think of is if you e.g. have
> some (possibly global) secret which is loaded from e.g. disk instead
> of the database--then attackers who are only able to leverage a SQL
> injection vulnerability would not be able to do much with the
> salt+digests from the database.

Please keep in mind that SQL injection can be leveraged to do a lot more
than just dump the database. It can also be used to read artibrary
files, and in some cases, obtain a shell running in the context of the
database or webapp.

Cheers,
Jeremi

From dfoxfranke@gmail.com  Lun fÃ©v 18 04:24:38 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 4190 invoked by uid 89); 18 Feb 2013 04:24:38 -0000
Received: by simscan 1.4.0 ppid: 4184, pid: 4186, t: 0.3339s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-vb0-f44.google.com) (209.85.212.44)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 04:24:37 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.44 as permitted sender)
Received: by mail-vb0-f44.google.com with SMTP id fr13so3284163vbb.31
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 20:24:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version:content-type;
        bh=g25VcTrwgwQvuUp4xTRe+lOiiWb7PQlL2ihUtZMApxc=;
        b=uM0JkCsk598+plF9p68IKovMzapktTjTRnu3aOmd3J+GqgGiQRsyJbAhunj2oc5qKK
         BjPTp08VFhb0V3BTxd99YxDMKSeNqjUK3okgKTa068um4g/JWtKrvbwlLMNqfq3piRhS
         JkuI1fATNUNl/bwXwg6j2os6iz2Kwdt8e6HbE+jydUGn+S0hl3BsxnwrnQ0C1jMN+0Ju
         NL//Z9BuJ5WJzsgu0lOUujq/MW12Kg+tHZH0wcFTa+YZgKJULB3zJJu33Ct6rsuNhMVL
         D3lf7kBhfpBJz5y1mIfikhLLT5JMrG2tByRcLAnGd4j3gNoZMKB9GVcrunHdxFxsP5IK
         bg4A==
X-Received: by 10.52.16.102 with SMTP id f6mr12171943vdd.12.1361161476709;
        Sun, 17 Feb 2013 20:24:36 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id x9sm94213736vel.4.2013.02.17.20.24.35
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Sun, 17 Feb 2013 20:24:35 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: Jeremi Gosney <epixoip@bindshell.nl>
Cc: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us>
	<5121A295.2030601@bindshell.nl>
Date: Sun, 17 Feb 2013 23:24:32 -0500
In-Reply-To: <5121A295.2030601@bindshell.nl> (Jeremi Gosney's message of "Sun,
	17 Feb 2013 19:40:05 -0800")
Message-ID: <87d2vyi70f.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Any "large verifiers" on the panel?

Jeremi Gosney <epixoip@bindshell.nl> writes:


> SQL injection, remote includes, local includes, and straight RCE flaws
> are by and large the biggest ways password hashes are compromised. More
> often than not, these vulnerabilities can be leveraged to view arbitrary
> files, or in the best case scenario, obtain a shell running under the
> context of the httpd or webapp.

If the attacker can obtain a shell under the same uid as the webapp
process and go undetected for a while, then he can ptrace the webapp and
see the passwords as they're being passed into the hashing function.

From epixoip@bindshell.nl  Lun fÃ©v 18 05:04:47 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 6212 invoked by uid 89); 18 Feb 2013 05:04:47 -0000
Received: by simscan 1.4.0 ppid: 6206, pid: 6208, t: 0.5442s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 05:04:46 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id 72C353C20C0;
	Sun, 17 Feb 2013 20:50:30 -0800 (PST)
Message-ID: <5121B661.3060208@bindshell.nl>
Date: Sun, 17 Feb 2013 21:04:33 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Daniel Franke <dfoxfranke@gmail.com>
CC: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <5121A295.2030601@bindshell.nl> <87d2vyi70f.fsf@wolfjaw.dfranke.us>
In-Reply-To: <87d2vyi70f.fsf@wolfjaw.dfranke.us>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Any "large verifiers" on the panel?

On 2/17/2013 8:24 PM, Daniel Franke wrote:
> Jeremi Gosney <epixoip@bindshell.nl> writes:
>> SQL injection, remote includes, local includes, and straight RCE flaws
>> are by and large the biggest ways password hashes are compromised. More
>> often than not, these vulnerabilities can be leveraged to view arbitrary
>> files, or in the best case scenario, obtain a shell running under the
>> context of the httpd or webapp.
> If the attacker can obtain a shell under the same uid as the webapp
> process and go undetected for a while, then he can ptrace the webapp and
> see the passwords as they're being passed into the hashing function.

It does not work this way anymore. At least not on modern Linux
distributions that enable the Yama LSM, which I'm pretty sure all
distributers started doing ~ 3 years back.

I believe FreeBSD also limits ptrace functionality through MAC policies,
but I am unsure of whether it is disabled by default.

I cannot speak to other operating systems.

From jeanphilippe.aumasson@gmail.com  Lun fÃ©v 18 06:47:13 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10436 invoked by uid 89); 18 Feb 2013 06:47:13 -0000
Received: by simscan 1.4.0 ppid: 10427, pid: 10432, t: 0.2968s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-oa0-f44.google.com) (209.85.219.44)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 06:47:13 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.219.44 as permitted sender)
Received: by mail-oa0-f44.google.com with SMTP id h1so5550517oag.17
        for <discussions@password-hashing.net>; Sun, 17 Feb 2013 22:47:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:cc:content-type;
        bh=Fx9fEOBeXdinbBRoFRqpKuoyyDR+lXi6bJWlZjwF3/I=;
        b=DR3fjOub/z/q/IpGcMoDdXhtSJcbDVau3MsL5d9T6VHDqVHfZyq3Z1BrSs95aRnj6/
         gSMVJHSWJscKAzII3LkUc6uDNPjFxgkpmhQ2YmjasuF4izG7zFRuSsd/KuqrzsBgCcM7
         SfXLUPaWDOc2itCgJSXl16o7u5da6R1QgdLAvLooIpKkT/m5U735ABzRvr0KrIfc6QwZ
         /ieyabixi83AO2XEQoBD0C69mdoSSSYcJ+wnWJEPraV85M9FIKZVwONGfnqiHylPvUBW
         D1LWYM0QWsOZFcCoysEFb9GH/hAZ2ym3L202cRH20w4waCEDhz1QE1zXl6dQwyKPWBxV
         WeDA==
MIME-Version: 1.0
X-Received: by 10.60.170.242 with SMTP id ap18mr127128oec.108.1361170031626;
 Sun, 17 Feb 2013 22:47:11 -0800 (PST)
Received: by 10.76.172.70 with HTTP; Sun, 17 Feb 2013 22:47:11 -0800 (PST)
Received: by 10.76.172.70 with HTTP; Sun, 17 Feb 2013 22:47:11 -0800 (PST)
In-Reply-To: <87halaides.fsf@wolfjaw.dfranke.us>
References: <87halaides.fsf@wolfjaw.dfranke.us>
Date: Mon, 18 Feb 2013 07:47:11 +0100
Message-ID: <CAGiyFdcNp9mW+tE29x+K+dNyDG-tviexb5ZYF=_iPNjR0ARicw@mail.gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=bcaec54d3f8436c7db04d5fa1894
Subject: Re: [PHC] Archives

--bcaec54d3f8436c7db04d5fa1894
Content-Type: text/plain; charset=ISO-8859-1

The first two are planned ;-)

Noticed the #phc collisions; #pwdhc is a good alternative. Any other/better
idea? (will then mention it on the website under Interaction).
On Feb 18, 2013 3:06 AM, "Daniel Franke" <dfoxfranke@gmail.com> wrote:

> I think that all of the following would be good to have available in
> order to make sure that none of our discussion gets lost:
>
> 1. A mailing list archive.
>
> 2. An IRC chat log.
>
> 3. An agreed-upon Twitter hashtag. #phc has too many collisions so I
> suggest #pwdhc.
>

--bcaec54d3f8436c7db04d5fa1894
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<p>The first two are planned ;-)</p>
<p>Noticed the #phc collisions; #pwdhc is a good alternative. Any other/bet=
ter idea? (will then mention it on the website under Interaction).</p>
<div class=3D"gmail_quote">On Feb 18, 2013 3:06 AM, &quot;Daniel Franke&quo=
t; &lt;<a href=3D"mailto:dfoxfranke@gmail.com">dfoxfranke@gmail.com</a>&gt;=
 wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I think that all of the following would be good to have available in<br>
order to make sure that none of our discussion gets lost:<br>
<br>
1. A mailing list archive.<br>
<br>
2. An IRC chat log.<br>
<br>
3. An agreed-upon Twitter hashtag. #phc has too many collisions so I<br>
suggest #pwdhc.<br>
</blockquote></div>

--bcaec54d3f8436c7db04d5fa1894--

From patrick@patrickmn.com  Lun fÃ©v 18 08:38:10 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 18233 invoked by uid 89); 18 Feb 2013 08:38:10 -0000
Received: by simscan 1.4.0 ppid: 18226, pid: 18228, t: 0.3321s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wi0-f181.google.com) (209.85.212.181)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 08:38:10 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.181 as permitted sender)
Received: by mail-wi0-f181.google.com with SMTP id hm6so3168573wib.2
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 00:38:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=F0/rYCDCq4tk5YVSMvHWLiKClCKIChF5SIWW5NRzIfk=;
        b=ceV5Cg6Zk0SskvrsS+r9570WrpvbHvb3Sstw+TxlUeeK6rPbHK8aeURm0FnOwnKp1k
         pb/eyrF/Ehvm2FCkbXgq3WSuKhzbDoGw9uytUPTe+rkSQuf+CewCMZJXMvm7eQmiL9tW
         7GstxFSR0QiY5dE6UJ0L9m+z2iSMZhloSaDWY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=F0/rYCDCq4tk5YVSMvHWLiKClCKIChF5SIWW5NRzIfk=;
        b=SUI9IyiP78UTu9MfICKMhG6z/r9pYZS+Zu2c8emGHcV7gDCT4szZEyWwAOyKeidE9I
         edyVdfCFtnvibqapdETKNkPtI/0A1/zTODmtw6yTZOichyc0FRlQszG3j/HH3pulbnk3
         Kqx4i+/P9Wf2OYoTC0u6fbCaHOsnUKSp5K3djtMat3aClOyuw6klUmDjZp1f70Xdf5z6
         AOYhG5hO1E6YOS0VpZOb3HIFNvuJNJcL2ArgwaCwc5C7cXm1Ct5hlgXBbGlOSFoxLuSp
         wN1y8d+6vM/pd/U8PDN7fi7p5G0RXO9RQm8MTF7ZOPt7+wofO/ECaMCnzxUJ1/nybIGK
         HbaQ==
MIME-Version: 1.0
X-Received: by 10.180.99.227 with SMTP id et3mr16696253wib.6.1361176689447;
 Mon, 18 Feb 2013 00:38:09 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 00:38:09 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <BA5F08A1-3F23-43CB-A0BE-5FC398CBAA1B@gmail.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<98657C44-5C16-42A8-9892-DFF8623491C9@goldmark.org>
	<CAEw2jfyq+Hdw+hk_UE3cYxvkTFjkuEkihfAH9goQx+9Qu+ohCw@mail.gmail.com>
	<BA5F08A1-3F23-43CB-A0BE-5FC398CBAA1B@gmail.com>
Date: Mon, 18 Feb 2013 09:38:09 +0100
Message-ID: <CAEw2jfyZ9=ATMhNw2vim75ZMKgs0L2koSaNbFrq5qPymGmghxA@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: Matthew Green <matthewdgreen@gmail.com>
Cc: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=f46d041826aa0d138904d5fba5c5
X-Gm-Message-State: ALoCoQlkM36rTLqh8mTHLBxXsYE1lPtE1xCVDMzF9nOvXdlf3ZljKlLJoDN7T2mWjDTQmR0swCqU
Subject: Re: [PHC] Asymmetry [Was: Any "large verifiers" on the panel?]

--f46d041826aa0d138904d5fba5c5
Content-Type: text/plain; charset=UTF-8

> You can't do this stuff today because HSMs aren't up to it, and because
most browsers don't let you do the kind of crypto you want to do at login
time. I think 5-10 years from now things will have changed a bit.

I certainly hope so. I particularly wonder what the situation will be like
with popular virtualization providers, and whether the HSM interfaces will
be standard enough that you can leverage many different ones without
trouble/user configuration.

"Please keep in mind that SQL injection can be leveraged to do a lot more
than just dump the database. It can also be used to read artibrary files,
and in some cases, obtain a shell running in the context of the database or
webapp."

In the cases where an attacker is able to read files or system memory
(provided the database servers are also application servers) then indeed,
such a secret would be fairly useless. If they gain control of a database
server, you can probably assume that application servers too will be
compromised within long.

This was the best case of a (very) common attack that usually only
compromises the contents of the database, and thus where such a secret
would be highly practical today, that I could think of.


On Mon, Feb 18, 2013 at 3:00 AM, Matthew Green <matthewdgreen@gmail.com>wrote:

> From a practical perspective, I'm highly skeptical that most users would
> actually store such a secret differently/out of reach of an attacker. If
> you've compromised the server, you almost certainly have access to any
> secrets. Online attacks are problematic, but offline attacks are far worse.
> If a scheme can't offer a decent amount of protection for the digests of
> low-entropy passwords when they (and any secrets) are compromised, then it
> is not very good, IMHO. That's not to say that having the ability to
> leverage a HSM (if available) to make it even harder wouldn't be great
> feature, of course. I just think that will be rare.
>
>
> I think that HSMs are going to become increasingly common in this area. I
> also think we're going to see an increasing number of clever tricks to keep
> secrets out of the hands of a hacked server. We already have things SRP
> (not that I'm recommending it). I expect to also see simple end-to-end
> encryption of passwords, from browser to an HSM or equivalent system. But
> databases will continue to be the weak link.
>
> You can't do this stuff today because HSMs aren't up to it, and because
> most browsers don't let you do the kind of crypto you want to do at login
> time. I think 5-10 years from now things will have changed a bit.
>
> But I've been wrong before.
>
> Matt
>

--f46d041826aa0d138904d5fba5c5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">&gt;=C2=A0<span style=3D"font-family:arial,sans-serif;font=
-size:13px">You can&#39;t do this stuff today because HSMs aren&#39;t up to=
 it, and because most browsers don&#39;t let you do the kind of crypto you =
want to do at login time. I think 5-10 years from now things will have chan=
ged a bit.</span><div>
<span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span></di=
v><div style><span style=3D"font-family:arial,sans-serif;font-size:13px">I =
certainly hope so. I particularly wonder what the situation will be like wi=
th popular virtualization providers, and whether the HSM interfaces will be=
 standard enough that you can leverage many different ones without trouble/=
user configuration.</span></div>
<div style><span style=3D"font-family:arial,sans-serif;font-size:13px"><br>=
</span></div><div style><span style=3D"font-family:arial,sans-serif;font-si=
ze:13px">&quot;</span><font face=3D"arial, sans-serif">Please keep in mind =
that SQL injection can be leveraged to do a lot more than just dump the dat=
abase. It can also be used to read artibrary files, and in some cases, obta=
in a shell running in the context of the database or webapp.&quot;</font></=
div>
<div style><font face=3D"arial, sans-serif"><br></font></div><div style><fo=
nt face=3D"arial, sans-serif">In the cases where an attacker is able to rea=
d files or system memory (provided the database servers are also applicatio=
n servers) then indeed, such a secret would be fairly useless. If they gain=
 control of a database server, you can probably assume that application ser=
vers too will be compromised within long.</font></div>
<div style><font face=3D"arial, sans-serif"><br></font></div><div style><fo=
nt face=3D"arial, sans-serif">This was the best case of a (very) common att=
ack that usually only compromises the contents of the database, and thus wh=
ere such a secret would be highly practical today, that I could think of.</=
font></div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Mon,=
 Feb 18, 2013 at 3:00 AM, Matthew Green <span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:matthewdgreen@gmail.com" target=3D"_blank">matthewdgreen@gmail.com</a>=
&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word"><div><di=
v class=3D"im"><blockquote type=3D"cite"><span style=3D"font-family:Helveti=
ca;font-size:medium;font-style:normal;font-variant:normal;font-weight:norma=
l;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-ind=
ent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inl=
ine!important;float:none">From a practical perspective, I&#39;m highly skep=
tical that most users would actually store such a secret differently/out of=
 reach of an attacker. If you&#39;ve compromised the server, you almost cer=
tainly have access to any secrets.=C2=A0Online attacks are problematic, but=
 offline attacks are far worse. If a scheme can&#39;t offer a decent amount=
 of protection for the digests of low-entropy passwords when they (and any =
secrets) are compromised, then it is not very good, IMHO.=C2=A0That&#39;s n=
ot to say that having the ability to leverage a HSM (if available) to make =
it even harder wouldn&#39;t be great feature, of course. I just think that =
will be rare.</span></blockquote>
<div><br></div></div><div>I think that HSMs are going to become increasingl=
y common in this area. I also think we&#39;re going to see an increasing nu=
mber of clever tricks to keep secrets out of the hands of a hacked server. =
We already have things SRP (not that I&#39;m recommending it). I expect to =
also see simple end-to-end encryption of passwords, from browser to an HSM =
or equivalent system. But databases will continue to be the weak link.</div=
>
<div><br></div><div>You can&#39;t do this stuff today because HSMs aren&#39=
;t up to it, and because most browsers don&#39;t let you do the kind of cry=
pto you want to do at login time. I think 5-10 years from now things will h=
ave changed a bit.</div>
<div>=C2=A0</div><div>But I&#39;ve been wrong before.</div><div><br></div><=
div>Matt</div></div></div></blockquote></div><br></div>

--f46d041826aa0d138904d5fba5c5--

From bugbee@mac.com  Lun fÃ©v 18 08:48:25 2013 +0000
Return-Path: <bugbee@mac.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19339 invoked by uid 89); 18 Feb 2013 08:48:25 -0000
Received: by simscan 1.4.0 ppid: 19333, pid: 19335, t: 0.3743s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO nk11p00mm-asmtp006.mac.com) (17.158.161.5)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 08:48:24 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at mac.com designates 17.158.161.5 as permitted sender)
Received: from [192.168.1.100] ([76.104.203.117]) by nk11p00mm-asmtp006.mac.com
 (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul
 13 2012)) with ESMTPSA id <0MIE001CRR4M5310@nk11p00mm-asmtp006.mac.com> for
 discussions@password-hashing.net; Mon, 18 Feb 2013 08:48:23 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.9.8327,1.0.431,0.0.0000
 definitions=2013-02-18_01:2013-02-15,2013-02-18,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 ipscore=0 suspectscore=1 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001
 definitions=main-1302180014
MIME-version: 1.0 (Apple Message framework v1085)
Content-type: multipart/alternative; boundary=Apple-Mail-15-618013148
From: Larry Bugbee <bugbee@mac.com>
In-reply-to:
 <CAGiyFdcNp9mW+tE29x+K+dNyDG-tviexb5ZYF=_iPNjR0ARicw@mail.gmail.com>
Date: Mon, 18 Feb 2013 00:48:22 -0800
Message-id: <670E9FEA-DF6E-4AE7-B830-FD6D026EFE07@mac.com>
References: <87halaides.fsf@wolfjaw.dfranke.us>
 <CAGiyFdcNp9mW+tE29x+K+dNyDG-tviexb5ZYF=_iPNjR0ARicw@mail.gmail.com>
To: discussions@password-hashing.net
X-Mailer: Apple Mail (2.1085)
Subject: Re: [PHC] Archives


--Apple-Mail-15-618013148
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Not everybody will be monitoring all channels of communication.  Having =
too many channels will pretty much guarantee some important =
conversations will not get shared.  Is that what you want?


-----------------------------------------------------------
On Feb 17, 2013, at 10:47 PM, Jean-Philippe Aumasson wrote:

> The first two are planned ;-)
>=20
> Noticed the #phc collisions; #pwdhc is a good alternative. Any =
other/better idea? (will then mention it on the website under =
Interaction).
>=20
> On Feb 18, 2013 3:06 AM, "Daniel Franke" <dfoxfranke@gmail.com> wrote:
> I think that all of the following would be good to have available in
> order to make sure that none of our discussion gets lost:
>=20
> 1. A mailing list archive.
>=20
> 2. An IRC chat log.
>=20
> 3. An agreed-upon Twitter hashtag. #phc has too many collisions so I
> suggest #pwdhc.


--Apple-Mail-15-618013148
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=us-ascii

<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Not everybody will be monitoring all channels&nbsp;of communication. &nbsp;Having&nbsp;too&nbsp;many channels will pretty much guarantee some important conversations will not get shared. &nbsp;Is that what you want?</div><div><br></div><div><br></div><div><div>-----------------------------------------------------------<br><div></div></div></div><div><div>On Feb 17, 2013, at 10:47 PM, Jean-Philippe Aumasson wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p>The first two are planned ;-)</p><p>Noticed the #phc collisions; #pwdhc is a good alternative. Any other/better idea? (will then mention it on the website under Interaction).</p>
<div class="gmail_quote">On Feb 18, 2013 3:06 AM, "Daniel Franke" &lt;<a href="mailto:dfoxfranke@gmail.com">dfoxfranke@gmail.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; ">
I think that all of the following would be good to have available in<br>
order to make sure that none of our discussion gets lost:<br>
<br>
1. A mailing list archive.<br>
<br>
2. An IRC chat log.<br>
<br>
3. An agreed-upon Twitter hashtag. #phc has too many collisions so I<br>
suggest #pwdhc.<br>
</blockquote></div>
</blockquote></div><br></body></html>
--Apple-Mail-15-618013148--

From patrick@patrickmn.com  Lun fÃ©v 18 08:54:03 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19716 invoked by uid 89); 18 Feb 2013 08:54:02 -0000
Received: by simscan 1.4.0 ppid: 19710, pid: 19712, t: 0.2789s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wg0-f42.google.com) (74.125.82.42)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 08:54:02 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.82.42 as permitted sender)
Received: by mail-wg0-f42.google.com with SMTP id 12so2503695wgh.5
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 00:54:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=EioQ8j++aSWqw2BXf3+KzkQx6hruXZHtprchCixnAkw=;
        b=fEpRJwx5zEcb4v4A0WvvdjzshrKo2d2AL6JCKj/t8LIU2S9jpiFE/u1/ozIRfQj0g/
         jg6PBLwBxHsK75mgl0szyAcpVIlnLRJ4dj6PwyYuCsc+P2oNgrWOpoGQu/PPaGvDJCp+
         56K6dXGtJqzliqaKUv1mtLqBB/HgVd0UXZjC8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=EioQ8j++aSWqw2BXf3+KzkQx6hruXZHtprchCixnAkw=;
        b=G2zWYIiFnNHbNfplHb6wV1rkM4wii7Uoo21W1QRqUxHfwakbP1a+cPPGfR0yu7R5bx
         tx8GtOhRyJrMYRGn6844+ynJAYXJYtHyAUNBnhhmWBzE2YbfM6LW2AJR73HORf/FvdAr
         6N1IP0kD+7DR5g6rcDUemgBaFBVmzLOfhEY2MROYLeltxkDhpmql8KJKQN9qL6rCTHEG
         hqIt7jfnBSn5xSG6t9WhbKu/sHbqnDtxEfntsWEXOGf8pOyFhmY0h/bVo6M9gJNdFMmd
         uGybjAPRsRZEcz1cuS9BXZNRPy5Cp34rQR4+8WBA6Chf6W1F9NcKnQFQktqKRd45Nfhc
         DS/A==
MIME-Version: 1.0
X-Received: by 10.194.121.38 with SMTP id lh6mr16831631wjb.27.1361177641894;
 Mon, 18 Feb 2013 00:54:01 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 00:54:01 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <87txpaii2q.fsf@wolfjaw.dfranke.us>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<87txpaii2q.fsf@wolfjaw.dfranke.us>
Date: Mon, 18 Feb 2013 09:54:01 +0100
Message-ID: <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: Jeremi Gosney <epixoip@bindshell.nl>, 
	"discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=089e01177917d244a504d5fbdd08
X-Gm-Message-State: ALoCoQkVVWolSeqvUPDK7oMK+fmK4tK6Shnx+d9exIIVA7YPiVom070ipZjDnoP14/+beC3D2BWz
Subject: Re: [PHC] Any "large verifiers" on the panel?

--089e01177917d244a504d5fbdd08
Content-Type: text/plain; charset=UTF-8

Except this is not what happens today. The vast majority of authentication
systems establish sessions that are kept alive for long periods of time.
and so simply gathering a large amount of credentials in a short period of
time by sniffing the wire (assuming that you can actually get to this
point, which is significantly harder than simply dumping a table from the
database) is actually quite a difficult and lengthy task. Assuming you
don't get detected during this time, it would still take a very long time
for every user to re-authenticate.

What does happen, and what absolutely hurts the most, is when somebody gets
a hold of your entire database of (weak) digests and cracks them on their
own or dumps them in a pastebin, e.g. without the usernames. The PHC
schemes, IMHO, really need to be resistant to this. We _already have_
effective ways to resist online attacks--exponential backoff, bans, even
captchas...

To give an example: Blizzard Entertainment got a huge level of flak from
the tech, and even the crypto, communities for using SRP when their
verifiers were compromised, as people realized that SRP protects against
MITM attacks, not offline attacks:
http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/

IMHO, it is a more useful exercise to think about leveraging clients, e.g.
for key derivation, than more secrets on the server side. The servers will
be compromised.


On Mon, Feb 18, 2013 at 1:25 AM, Daniel Franke <dfoxfranke@gmail.com> wrote:

> Jeremi Gosney <epixoip@bindshell.nl> writes:
>
> > You have to assume that if the passwords are compromised, the
> > encryption key is as well.
>
> I'm with all those who say that we shouldn't be granting this
> assumption. An adversary who has completely compromised a web server
> doesn't have to bother cracking password hashes at all. He can just
> capture unhashed passwords as they arrive over the wire. If we aren't
> completely wasting our time having this competition, then we should
> absolutely be thinking about what constitutes a realistic model of
> common partial-compromise scenarios, and what features we can add to a
> password-hashing scheme in order to make it more secure in that model.
>
> P.S.: A couple people in this thread have been referencing a message
> from Peter Gutmann which doesn't seem to have made it to my inbox. Was
> that message sent to this list?
>

--089e01177917d244a504d5fbdd08
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Except this is not what happens today. The vast majority o=
f authentication systems establish sessions that are kept alive for long pe=
riods of time. and so simply gathering a large amount of credentials in a s=
hort period of time by sniffing the wire (assuming that you can actually ge=
t to this point, which is significantly harder than simply dumping a table =
from the database) is actually quite a difficult and lengthy task. Assuming=
 you don&#39;t get detected during this time, it would still take a very lo=
ng time for every user to re-authenticate.<div>
<br></div><div>What does happen, and what absolutely hurts the most, is whe=
n somebody gets a hold of your entire database of (weak) digests and cracks=
 them on their own or dumps them in a pastebin, e.g. without the usernames.=
 The PHC schemes, IMHO, really need to be resistant to this. We _already ha=
ve_ effective ways to resist online attacks--exponential backoff, bans, eve=
n captchas...</div>
<div><br></div><div style>To give an example: Blizzard Entertainment got a =
huge level of flak from the tech, and even the crypto, communities for usin=
g SRP when their verifiers were compromised, as people realized that SRP pr=
otects against MITM attacks, not offline attacks:=C2=A0<a href=3D"http://ar=
stechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/=
">http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-har=
d-to-crack/</a></div>
<div style><br></div><div style>IMHO, it is a more useful exercise to think=
 about leveraging clients, e.g. for key derivation, than more secrets on th=
e server side. The servers will be compromised.</div></div><div class=3D"gm=
ail_extra">
<br><br><div class=3D"gmail_quote">On Mon, Feb 18, 2013 at 1:25 AM, Daniel =
Franke <span dir=3D"ltr">&lt;<a href=3D"mailto:dfoxfranke@gmail.com" target=
=3D"_blank">dfoxfranke@gmail.com</a>&gt;</span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">
<div class=3D"im">Jeremi Gosney &lt;<a href=3D"mailto:epixoip@bindshell.nl"=
>epixoip@bindshell.nl</a>&gt; writes:<br>
<br>
&gt; You have to assume that if the passwords are compromised, the<br>
&gt; encryption key is as well.<br>
<br>
</div>I&#39;m with all those who say that we shouldn&#39;t be granting this=
<br>
assumption. An adversary who has completely compromised a web server<br>
doesn&#39;t have to bother cracking password hashes at all. He can just<br>
capture unhashed passwords as they arrive over the wire. If we aren&#39;t<b=
r>
completely wasting our time having this competition, then we should<br>
absolutely be thinking about what constitutes a realistic model of<br>
common partial-compromise scenarios, and what features we can add to a<br>
password-hashing scheme in order to make it more secure in that model.<br>
<br>
P.S.: A couple people in this thread have been referencing a message<br>
from Peter Gutmann which doesn&#39;t seem to have made it to my inbox. Was<=
br>
that message sent to this list?<br>
</blockquote></div><br></div>

--089e01177917d244a504d5fbdd08--

From ark@cs.rit.edu  Lun fÃ©v 18 15:20:40 2013 +0000
Return-Path: <ark@cs.rit.edu>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 16245 invoked by uid 89); 18 Feb 2013 15:20:39 -0000
Received: by simscan 1.4.0 ppid: 16234, pid: 16241, t: 1.4278s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO pony-express.cs.rit.edu) (129.21.30.24)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 15:20:37 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at cs.rit.edu does not designate permitted sender hosts)
Received: (qmail 9621 invoked by uid 56003); 18 Feb 2013 15:20:36 -0000
Received: from 129.21.36.199 by pony-express (envelope-from <ark@cs.rit.edu>, uid 20003) with qmail-scanner-1.25st 
 (spamassassin: 3.3.1. perlscan: 1.25st.  
 Clear:RC:1(129.21.36.199):SA:0(-1.0/5.0):. 
 Processed in 0.146493 secs); 18 Feb 2013 15:20:36 -0000
Received: from clairaut.cs.rit.edu (HELO ?129.21.36.199?) (ark@129.21.36.199)
  by mailhost.cs.rit.edu with ESMTPA; 18 Feb 2013 15:20:35 -0000
Message-ID: <512246C3.1030203@cs.rit.edu>
Date: Mon, 18 Feb 2013 10:20:35 -0500
From: Alan Kaminsky <ark@cs.rit.edu>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <87halaides.fsf@wolfjaw.dfranke.us> <CAGiyFdcNp9mW+tE29x+K+dNyDG-tviexb5ZYF=_iPNjR0ARicw@mail.gmail.com> <670E9FEA-DF6E-4AE7-B830-FD6D026EFE07@mac.com>
In-Reply-To: <670E9FEA-DF6E-4AE7-B830-FD6D026EFE07@mac.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Archives

On 02/18/2013 03:48 AM, Larry Bugbee wrote:
> Not everybody will be monitoring all channels of communication.  Having too many channels will pretty much guarantee some important conversations will not get shared.  Is that what you want?

I second that. I do not use Twitter and I do not monitor IRC. The only 
discussion I will see or participate in is this mailing list. I think a lot of 
people from the academic side would say the same.

-- 
-Alan Kaminsky
  Professor
  Department of Computer Science
  B. Thomas Golisano College of Computing and Information Sciences
  Rochester Institute of Technology

From dennis.hamilton@acm.org  Lun fÃ©v 18 18:46:13 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 29766 invoked by uid 89); 18 Feb 2013 18:46:12 -0000
Received: by simscan 1.4.0 ppid: 29760, pid: 29762, t: 0.2814s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.7 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 18:46:12 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33046 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7Vj8-004MMM-Q9
	for discussions@password-hashing.net; Mon, 18 Feb 2013 13:46:11 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Date: Mon, 18 Feb 2013 10:46:09 -0800
Organization: NuovoDoc
Message-ID: <003301ce0e08$384a1730$a8de4590$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac4OB3Ime29TkKhASumWY456MvPbtA==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: Q: int return from PHS()

Reference implementations for submissions are requested to provide an API
having signature int PHS( ...)

What are the prescribed return values and their significance?

 - Dennis

PS: Sorry if this has been asked.  I haven't found the list archive yet.


From sneves@dei.uc.pt  Lun fÃ©v 18 19:00:49 2013 +0000
Return-Path: <sneves@dei.uc.pt>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 30677 invoked by uid 89); 18 Feb 2013 19:00:49 -0000
Received: by simscan 1.4.0 ppid: 30670, pid: 30672, t: 0.4651s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO smtp.dei.uc.pt) (193.137.203.253)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 19:00:48 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at dei.uc.pt designates 193.137.203.253 as permitted sender)
Received: from [192.168.1.71] (bl16-64-107.dsl.telepac.pt [188.81.64.107])
	(authenticated bits=0)
	by smtp.dei.uc.pt (8.14.4/8.14.4) with ESMTP id r1IJ0YLA006969
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <discussions@password-hashing.net>; Mon, 18 Feb 2013 19:00:40 GMT
Message-ID: <51227A51.7090602@dei.uc.pt>
Date: Mon, 18 Feb 2013 19:00:33 +0000
From: Samuel Neves <sneves@dei.uc.pt>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <003301ce0e08$384a1730$a8de4590$@acm.org>
In-Reply-To: <003301ce0e08$384a1730$a8de4590$@acm.org>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-FCTUC-DEI-SIC-MailScanner-Information: Please contact helpdesk@dei.uc.pt for more information
X-FCTUC-DEI-SIC-MailScanner-ID: r1IJ0YLA006969
X-FCTUC-DEI-SIC-MailScanner: Found to be clean
X-FCTUC-DEI-SIC-MailScanner-SpamCheck: not spam (whitelisted),
	SpamAssassin (not cached, score=-51.25, required 3.252,
	autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -0.25,
	L_SMTP_AUTH -50.00)
X-FCTUC-DEI-SIC-MailScanner-From: sneves@dei.uc.pt
Subject: Re: [PHC] Q: int return from PHS()

On 18-02-2013 18:46, Dennis E. Hamilton wrote:
> Reference implementations for submissions are requested to provide an API
> having signature int PHS( ...)
>
> What are the prescribed return values and their significance?
>
>  - Dennis
>
> PS: Sorry if this has been asked.  I haven't found the list archive yet.
>
It has not been asked.

In typical C fashion, return value should be 0 for success, and
otherwise for any error that may occur during computation. Error codes,
if any, should be up to implementors, since sources of error may wildly
vary between schemes/implementations.

From dennis.hamilton@acm.org  Lun fÃ©v 18 19:23:19 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 31943 invoked by uid 89); 18 Feb 2013 19:23:19 -0000
Received: by simscan 1.4.0 ppid: 31937, pid: 31939, t: 0.2945s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 19:23:19 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33363 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7WJ3-000XbW-Qk
	for discussions@password-hashing.net; Mon, 18 Feb 2013 14:23:18 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Date: Mon, 18 Feb 2013 11:23:16 -0800
Organization: NuovoDoc
Message-ID: <003601ce0e0d$67ad08c0$37071a40$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac4ODUYJLxL/dR2hToCYEWERHkax0w==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: Q: Reference t_cost and m_cost parameters

For the candidate reference-implementation API, the t_cost and m_cost
parameters are apparently unitless values related to time cost and space
(memory cost).

Is there some standard definition for these, so that one can substitute
implementations but not need to know the implementation to know the
consequences?  

Or is it presumed that a candidate specify how these are interpreted and
once a particular function is "standardized" as *the* PHS, the
interpretation of the parameters will be fixed?  

By fixed I mean that the salt and the cost parameters would be either stored
or otherwise preserved between creation of a hash and recomputation of the
hash for authentication of a password.  

I am thinking of the case where the authentication may be done by different
systems than the one that originally derived the hash, as when using
password-based encryption of documents in an interchange situation or in a
long-lived personal archive, longer-lived than the computer used to create
the password hash originally.  In this case it may be necessary to
communicate the salt and the cost parameters along with the derived hash
value.

 - Dennis




From dfoxfranke@gmail.com  Lun fÃ©v 18 20:20:22 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 2676 invoked by uid 89); 18 Feb 2013 20:20:22 -0000
Received: by simscan 1.4.0 ppid: 2669, pid: 2671, t: 0.4094s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-vb0-f44.google.com) (209.85.212.44)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 20:20:21 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.44 as permitted sender)
Received: by mail-vb0-f44.google.com with SMTP id fr13so3802683vbb.17
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 12:20:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version:content-type;
        bh=wBfoa46QIn5UnCiKamzBjd7ihCKzURhcU6Y8eCa1dv0=;
        b=taJECH+Cb5PxMZpBVrU+dADVLe8ElxoemEC1W/+zZvpwhFo2J1q+zjeu5abax1/JmA
         zGhrvddCTU6C1gGBcZPBoBtKhbVk2Wiv3YOoQ+n8XvKpyx2GoTlsawdNs7Jkeg6PDQbc
         G03326k/cnAZ3e8CJHh45zNKbL1p3+IxT/1jxw2cCN23ObF2wV6+A+1vgqCWzhLH9lCU
         Xpjn+rfZ6acn2IVeJqlj+XXkzE/pc28yo0oRT4TWdvM5pfkN+K1qAoM9HS/DIRiMAz47
         oBe/5iWycVjiSpQfTUnYcIxKQtHXAmzRxgHb9Lv3sRSW93lqKltUEBOFRwhkPtufDfgb
         3lwg==
X-Received: by 10.220.156.10 with SMTP id u10mr17360358vcw.28.1361218820441;
        Mon, 18 Feb 2013 12:20:20 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id p7sm87636428vdt.2.2013.02.18.12.20.18
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Mon, 18 Feb 2013 12:20:19 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: Jeremi Gosney <epixoip@bindshell.nl>
Cc: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us>
	<5121A295.2030601@bindshell.nl> <87d2vyi70f.fsf@wolfjaw.dfranke.us>
	<5121B661.3060208@bindshell.nl>
Date: Mon, 18 Feb 2013 15:20:16 -0500
In-Reply-To: <5121B661.3060208@bindshell.nl> (Jeremi Gosney's message of "Sun,
	17 Feb 2013 21:04:33 -0800")
Message-ID: <878v6lidbz.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Any "large verifiers" on the panel?

Jeremi Gosney <epixoip@bindshell.nl> writes:
> On 2/17/2013 8:24 PM, Daniel Franke wrote:
>> If the attacker can obtain a shell under the same uid as the webapp
>> process and go undetected for a while, then he can ptrace the webapp and
>> see the passwords as they're being passed into the hashing function.
>
> It does not work this way anymore. At least not on modern Linux
> distributions that enable the Yama LSM, which I'm pretty sure all
> distributers started doing ~ 3 years back.

No version of vanilla Debian enables YAMA. Precise, which is less than a
year old, was the first Ubuntu LTS release to do so. I have no idea
about any of the RedHat derivatives.

My personal opinion is that ptrace restriction is a good feature to have
available, but a bad one to turn on by default, because it breaks things
that POSIX says should work. It's basically useless on desktop systems,
and having it enabled on mine would annoy the hell out of me, because
attaching gdb to a running process that's misbehaving is something I do
quite regularly.

In reply to your IRC comments:

> 03:10 <@epixoip> i think all this talk about using reversible encryption and shared secrets is just plain silly, though
> 03:10 <@epixoip> surely one can come up with a solid algorithm that doesn't rely on the user keeping secrets a secret, because that just won't happen

I am not making any argument at this point, about whether symmetric
secrets, trapdoor functions, etc. are useful or not.  I have no ideas in
mind for any scheme that incorporates them, but neither am I committed
to any threat model in which I can prove that no such scheme exists. My
thesis at this stage is simply that deciding on an appropriate threat
model, and justifying that decision through something better than
"inside-out" reasoning (thank you, Peter -- I'm going to be using that
term regularly from now on), should be a goal of this competition.

From dfoxfranke@gmail.com  Lun fÃ©v 18 20:40:32 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 3637 invoked by uid 89); 18 Feb 2013 20:40:31 -0000
Received: by simscan 1.4.0 ppid: 3627, pid: 3630, t: 0.2914s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-vb0-f53.google.com) (209.85.212.53)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 20:40:31 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.53 as permitted sender)
Received: by mail-vb0-f53.google.com with SMTP id fj18so3728162vbb.26
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 12:40:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version:content-type;
        bh=3FbqqFf78qktnYIDFX6CeeWfGiBfPa9rFXur4KpM5KM=;
        b=rnDmQJPK6onWzRfAUuk6zLmFf8E9E1Y56RtPVPPp/u/ewJOMYX8qiRnyzIb0yRDqT+
         IJ5Ojvd6M0TEHg3aGKPd8Ykyn5pG2/zLVs58PPU1GXAOXyiJK/Q2pefp129H1EtTc5xu
         UlXUwRFMXMIMC/KGz5I/boPryjv2G4dXJ0a3pC5JMNaAWY1IUUEcP6rTy6L8a3KIxXNY
         X3/qz4m8cqC6cZAiXalYsoufxXKaOoS9TfgFH3z3OxTKag9fZ10Y3UCqILFw9rB4N7Xh
         nB1a0k6jTh9kvs+87q2JpuYDIkSow/TUv29WnWNIGMVEA3yYwmQulHkdWOJiNFern3hk
         9Ycw==
X-Received: by 10.52.88.237 with SMTP id bj13mr15195912vdb.75.1361220029804;
        Mon, 18 Feb 2013 12:40:29 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id qj8sm97664644veb.2.2013.02.18.12.40.28
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Mon, 18 Feb 2013 12:40:28 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
References: <87halaides.fsf@wolfjaw.dfranke.us>
	<CAGiyFdcNp9mW+tE29x+K+dNyDG-tviexb5ZYF=_iPNjR0ARicw@mail.gmail.com>
	<670E9FEA-DF6E-4AE7-B830-FD6D026EFE07@mac.com>
	<512246C3.1030203@cs.rit.edu>
Date: Mon, 18 Feb 2013 15:40:27 -0500
In-Reply-To: <512246C3.1030203@cs.rit.edu> (Alan Kaminsky's message of "Mon,
	18 Feb 2013 10:20:35 -0500")
Message-ID: <874nh9icec.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Archives

Alan Kaminsky <ark@cs.rit.edu> writes:

> On 02/18/2013 03:48 AM, Larry Bugbee wrote:
>> Not everybody will be monitoring all channels of communication.
>> Having too many channels will pretty much guarantee some important
>> conversations will not get shared.  Is that what you want?
>
> I second that. I do not use Twitter and I do not monitor IRC. The only
> discussion I will see or participate in is this mailing list. I think
> a lot of people from the academic side would say the same.

I think it's a matter of general netiquette that if you have something
to say [about an open source project, IETF document, etc.] that's of
enough substance that it should be preserved for posterity, then you
should say it on an archived mailing list. However, people *will*
violate this rule no matter what they're told, so we should do what we
can to be robust against those violations.

From steve@tobtu.com  Lun fÃ©v 18 20:40:33 2013 +0000
Return-Path: <steve@tobtu.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 3651 invoked by uid 89); 18 Feb 2013 20:40:32 -0000
Received: by simscan 1.4.0 ppid: 3631, pid: 3641, t: 0.5488s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mout.perfora.net) (74.208.4.194)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 20:40:32 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at tobtu.com does not designate permitted sender hosts)
Received: from oxuslxltgw06.lxa.perfora.net (oxuslxltgw06.lxa.perfora.net [172.19.206.8])
	by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis)
	id 0MO6zE-1UD1gX3KFw-005iIT; Mon, 18 Feb 2013 15:40:29 -0500
Date: Mon, 18 Feb 2013 14:40:29 -0600 (CST)
From: Steve Thomas <steve@tobtu.com>
To: discussions@password-hashing.net
Message-ID: <467242033.24953.1361220029545.open-xchange@email.1and1.com>
In-Reply-To: <51227A51.7090602@dei.uc.pt>
References: <003301ce0e08$384a1730$a8de4590$@acm.org> <51227A51.7090602@dei.uc.pt>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_24952_775927948.1361220029500"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v6.22.1-Rev11
X-Provags-ID: V02:K0:lfE3eY1RsXJwE4BsN4vw2cSGb0Cm7lVp1vYep3jZI4l
 HuGu7mvAL6E04X3h0bFtpZs5YUhDMpI2f0bH9Qs+bTiEhZOFwJ
 jg7BppL2g9d7poIEXWrUi5pfxXq297rHKWgHf7uPNYdOKFfOYv
 no/f8AFV+zIVNrgECaz9T61DVEvhw2xVs9hRdht6uhAqL/JLb3
 +8PW97niqTBWow38mQMmMR3F1B7IhTqUFOFu0rsuhO8KFcvo73
 vHDbvfTxeU59dRQdYNQHTgklEtTfQzErO+pCkhT+SRxPSfg+2R
 9xB6ElWPHTWObt6BcHdcJWfeQ3Un0ucAy+/77i+aOoLUJMZL/W
 NiPpwdMNlBYMweIzdrWOTRVqTJsIO1Ji8GWUjxmHZ4Yu6eMW+m
 +rgaUheyyQptFqg1l0NTGqBb8CJLtYgf9s=
Subject: Re: [PHC] Q: int return from PHS()

------=_Part_24952_775927948.1361220029500
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

> On February 18, 2013 at 1:00 PM Samuel Neves <sneves@dei.uc.pt> wrote:
>
>
> On 18-02-2013 18:46, Dennis E. Hamilton wrote:
> > Reference implementations for submissions are requested to provide an API
> > having signature int PHS( ...)
> >
> > What are the prescribed return values and their significance?
> >
> > - Dennis
> >
> > PS: Sorry if this has been asked. I haven't found the list archive yet.
> >
> It has not been asked.
>
> In typical C fashion, return value should be 0 for success, and
> otherwise for any error that may occur during computation. Error codes,
> if any, should be up to implementors, since sources of error may wildly
> vary between schemes/implementations.

I was under the impression that the return value was the amount of data copied
to the output buffer.
------=_Part_24952_775927948.1361220029500
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
 </head><body style="">
 
 
  <div>
   &#62; On February 18, 2013 at 1:00 PM Samuel Neves &#60;sneves@dei.uc.pt&#62; wrote:
   <br/>&#62; 
   <br/>&#62; 
   <br/>&#62; On 18-02-2013 18:46, Dennis E. Hamilton wrote:
   <br/>&#62; &#62; Reference implementations for submissions are requested to provide an API
   <br/>&#62; &#62; having signature int PHS( ...)
   <br/>&#62; &#62;
   <br/>&#62; &#62; What are the prescribed return values and their significance?
   <br/>&#62; &#62;
   <br/>&#62; &#62; - Dennis
   <br/>&#62; &#62;
   <br/>&#62; &#62; PS: Sorry if this has been asked. I haven&#39;t found the list archive yet.
   <br/>&#62; &#62;
   <br/>&#62; It has not been asked.
   <br/>&#62; 
   <br/>&#62; In typical C fashion, return value should be 0 for success, and
   <br/>&#62; otherwise for any error that may occur during computation. Error codes,
   <br/>&#62; if any, should be up to implementors, since sources of error may wildly
   <br/>&#62; vary between schemes/implementations.
  </div> 
  <div>
   &#160;
  </div> 
  <div>
   I was under the impression that the return value was the amount of data copied to the output buffer.
  </div>
 
</body></html>
------=_Part_24952_775927948.1361220029500--

From dennis.hamilton@acm.org  Lun fÃ©v 18 21:26:38 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 5979 invoked by uid 89); 18 Feb 2013 21:26:38 -0000
Received: by simscan 1.4.0 ppid: 5973, pid: 5975, t: 0.3129s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 21:26:38 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33565 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7YEO-002QV3-3A
	for discussions@password-hashing.net; Mon, 18 Feb 2013 16:26:36 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <003301ce0e08$384a1730$a8de4590$@acm.org> <51227A51.7090602@dei.uc.pt> <467242033.24953.1361220029545.open-xchange@email.1and1.com>
In-Reply-To: <467242033.24953.1361220029545.open-xchange@email.1and1.com>
Date: Mon, 18 Feb 2013 13:26:34 -0800
Organization: NuovoDoc
Message-ID: <000001ce0e1e$a15ac010$e4104030$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQKDmOkVwMq2eLVP4PiRDGgbvXBtxgJ1CJ9xAjfY7LyW75wyAA==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Q: int return from PHS()

!? (glad I asked)

If PHS( ) returns the length of the data delivered in the output buffer, =
type disharmony is avoided by (1) making the result a size_t or (2) =
making outlen an int.  In case (1), 0 is probably the failure result.  =
In case (2) negative results can signify errors (and 0 is a strange =
success case?).  I'm not clear whether (2) is now considered an archaic =
device.  I'm agnostic about that.  I just want definiteness.

If PHS( ) returns a straightforward result code (with 0 signifying =
success), I would expect that outlen is a request for a specific size of =
result and the function should fail if it can't deliver. =20

In the case of failure/error in either case, the content of the output =
buffer should be considered unpredictable and should also not leak =
anything.  (If it were up to me, I'd always clear the output buffer at =
the beginning and endeavor to leave it that way except just before a =
success return.)

 - Dennis



-----Original Message-----
From: Steve Thomas [mailto:steve@tobtu.com]=20
Sent: Monday, February 18, 2013 12:40
To: discussions@password-hashing.net
Subject: Re: [PHC] Q: int return from PHS()

> On February 18, 2013 at 1:00 PM Samuel Neves <sneves@dei.uc.pt> wrote: =

>=20
>=20
> On 18-02-2013 18:46, Dennis E. Hamilton wrote:=20
> > Reference implementations for submissions are requested to provide =
an API=20
> > having signature int PHS( ...)=20
> >=20
> > What are the prescribed return values and their significance?=20
> >=20
> > - Dennis=20
> >=20
> > PS: Sorry if this has been asked. I haven't found the list archive =
yet.=20
> >=20
> It has not been asked.=20
>=20
> In typical C fashion, return value should be 0 for success, and=20
> otherwise for any error that may occur during computation. Error =
codes,=20
> if any, should be up to implementors, since sources of error may =
wildly=20
> vary between schemes/implementations.=20
 =20
I was under the impression that the return value was the amount of data =
copied to the output buffer.=20


From solar@openwall.com  Lun fÃ©v 18 21:48:23 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 7163 invoked by uid 89); 18 Feb 2013 21:48:23 -0000
Received: by simscan 1.4.0 ppid: 7157, pid: 7159, t: 0.3728s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 21:48:23 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 28060 invoked from network); 18 Feb 2013 21:48:22 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2013 21:48:22 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id B94966FB04; Tue, 19 Feb 2013 01:48:19 +0400 (MSK)
Date: Tue, 19 Feb 2013 01:48:19 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130218214819.GA20645@openwall.com>
References: <003601ce0e0d$67ad08c0$37071a40$@acm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <003601ce0e0d$67ad08c0$37071a40$@acm.org>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Q: Reference t_cost and m_cost parameters

On Mon, Feb 18, 2013 at 11:23:16AM -0800, Dennis E. Hamilton wrote:
> For the candidate reference-implementation API, the t_cost and m_cost
> parameters are apparently unitless values related to time cost and space
> (memory cost).
> 
> Is there some standard definition for these, so that one can substitute
> implementations but not need to know the implementation to know the
> consequences?  
> 
> Or is it presumed that a candidate specify how these are interpreted

I think it's the latter.

I expect PHC submissions to differ in their abilities a lot, including
what ranges of cost settings they work for, and with what granularity.
In some cases, the two cost settings might not be entirely independent -
e.g., in scrypt both N*r and p contribute to its running time.

I actually tried bringing 3 different underlying password hashing
schemes to the same cost scale, in terms of CPU time, in phpass.  I did
so by adopting bcrypt's costs as the input values, and translating them
to cost settings resulting in comparable CPU time usage on current CPUs
and with current code for BSDI's extended DES-based hashes and for
phpass' own "portable" hashes.  This works fine, but I think in PHC
context it should be left for a higher level, if we like.

If we try to insist that e.g. t_cost is expressed in microseconds on a
specific CPU when using a specific compiler/version and m_cost e.g. in
kilobytes, this means that PHS() will be a wrapper function doing the
necessary translation (and returning an error code for value
combinations that its underlying code can't get sufficiently close to?)
I'm not sure whether we want that.

> and once a particular function is "standardized" as *the* PHS, the
> interpretation of the parameters will be fixed?

I guess the PHS() interface might end up being for PHC use only, not for
actual use of the winning password hashing scheme(s).  (Chances are
that there will be more than one as I do not expect that a single one
will meet all of our wishes at once.  Maybe two.)  I think each password
hashing scheme, besides the PHC-mandatory PHS() interface, will also
provide its own APIs and indicate which one (or several) are recommended
for use.

> By fixed I mean that the salt and the cost parameters would be either stored
> or otherwise preserved between creation of a hash and recomputation of the
> hash for authentication of a password.  

Oh, that's a different aspect from what you wrote in the previous few
paragraphs.  Yes, it is expected that the parameter values, except for
secrets, will be stored along with the hashes or with the encrypted
data (if the scheme is used as a KDF).  This is beyond scope of PHC,
although we may discuss it in here.

I expect that once we get closer to the end of first year, we'll need to
have crypt(3) encoding syntax defined for the finalists, although this
is not mandated by PHC terms.  This implies storage of non-secret
parameters along with the hashes (inside those strings).

> I am thinking of the case where the authentication may be done by different
> systems than the one that originally derived the hash, as when using
> password-based encryption of documents in an interchange situation or in a
> long-lived personal archive, longer-lived than the computer used to create
> the password hash originally.  In this case it may be necessary to
> communicate the salt and the cost parameters along with the derived hash
> value.

Of course.  This is how it's being done already.

Alexander

From dennis.hamilton@acm.org  Lun fÃ©v 18 22:02:50 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 7915 invoked by uid 89); 18 Feb 2013 22:02:50 -0000
Received: by simscan 1.4.0 ppid: 7908, pid: 7911, t: 0.2660s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 22:02:49 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:32809 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7YnP-002yaC-EW
	for discussions@password-hashing.net; Mon, 18 Feb 2013 17:02:48 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Date: Mon, 18 Feb 2013 14:02:45 -0800
Organization: NuovoDoc
Message-ID: <000101ce0e23$af8f9570$0eaec050$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac4OI5u+voKTrccLRquLJYiM6oHfMw==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: Coding of the in[inlen] array for PHS( )

The ASCII/non-ASCII about desirable test vectors suggest that being =
character set sensitive is permissible.  (That is how Java screwed up =
PBKDF2).  I suspect that is not intended.

To be clear about it, I suggest specifying in[inlen] to be a sequence of =
storage units in in[0] to in[inlen-1] progression and that is all there =
is to know about it.  It is probably necessary to specify that the =
values must be between 0x00 and 0xFF as well (just in case the storage =
units are larger).  If the array is blocked into words in some manner =
internal to PHS, the tranformation should be explicit without assumption =
of some big/little-endian orientation.  (Ditto for the out[outlen] of =
course.

It is best to consider that, within those constraints, the in[inlen] =
array consists of arbitrary values, whether or not indistinguishable =
from random.

I don't think *anything* about character set encoding and whether or not =
the password that is used is well-formed in any way should cross the API =
barrier.  It seems to me that reproducible use of PHS() falls on the =
external application.  The application needs to ensure that the same =
password value is coded in response to the same password text entry (if =
that is the scheme) on the part of an user or user agent that enters via =
a different path.  That's where any constraints need to be.=20

In this way, it is entirely admissible to submit hashes to the function, =
as when extending an existing system to use the stronger PHS( ) by =
feeding it the hash previously retained by an authenticating service.  =
This is a way to upgrade without requiring knowledge of any password =
that produced the hash (or some indistinguishable from random) value =
being extended.  (The previous hash now becomes an intermediate value in =
the extended derivation.)

 - Dennis


From dfoxfranke@gmail.com  Lun fÃ©v 18 22:12:30 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 8313 invoked by uid 89); 18 Feb 2013 22:12:29 -0000
Received: by simscan 1.4.0 ppid: 8307, pid: 8309, t: 0.2562s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-vc0-f181.google.com) (209.85.220.181)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 22:12:29 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.220.181 as permitted sender)
Received: by mail-vc0-f181.google.com with SMTP id f13so686667vcb.40
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 14:12:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version:content-type;
        bh=jOw2iLRYrLtc5UU9H6N7TAx9BrQvdh9Q8lGGxrx4uiI=;
        b=qwIH83znfPH9gwtp8zYo+ph3nOMg6aNbWMdBni+PBdwRfRIsVCap8yzNtqupUNhkBD
         wiEx5EC1gyzDhKpBwaALTikxRKafCoRtQBC9A6SHM1oQReVKvJWDTH+cFdyY4/XrKPW8
         DKO4wBzOcuJ07/FxkEXjs9lprctGxog5dCLP/qVLZm3LUoJI0K8XD+C8dvJnrFvT/gyo
         GVsARR6XDns6Ue1XOdL33Uzc5m8+czxp1naXZog2hS9z/+jJ5eKAs/wqQ9w1sBmQ3Rfx
         vJ9UgHZzVymMjf90Fv/8luJeOQpSl3WqHYbsUBRU6jqkd0Ov1wpoyLKxljzjixuUYkZH
         YcUA==
X-Received: by 10.58.254.33 with SMTP id af1mr18456630ved.0.1361225548205;
        Mon, 18 Feb 2013 14:12:28 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id yu4sm98130524veb.7.2013.02.18.14.12.26
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Mon, 18 Feb 2013 14:12:27 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
Date: Mon, 18 Feb 2013 17:12:25 -0500
In-Reply-To: <000101ce0e23$af8f9570$0eaec050$@acm.org> (Dennis E. Hamilton's
	message of "Mon, 18 Feb 2013 14:02:45 -0800")
Message-ID: <87zjz1gtkm.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

"Dennis E. Hamilton" <dennis.hamilton@acm.org> writes:

> The ASCII/non-ASCII about desirable test vectors suggest that being
> character set sensitive is permissible.

I don't think it suggests that at all.  The purpose of test vectors is
to check the correctness of implementations.  One plausible way to mess
up an otherwise-correct implementation is to mishandle inputs containing
non-ASCII characters. Therefore non-ASCII test vectors are desirable.

I would amend the recommendation by explicit calling for some test
vectors containing embedded null bytes.

From dennis.hamilton@acm.org  Lun fÃ©v 18 22:53:00 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10388 invoked by uid 89); 18 Feb 2013 22:53:00 -0000
Received: by simscan 1.4.0 ppid: 10382, pid: 10384, t: 0.2827s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Feb 2013 22:52:59 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:52920 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7ZZx-003kyp-V5
	for discussions@password-hashing.net; Mon, 18 Feb 2013 17:52:58 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <87zjz1gtkm.fsf@wolfjaw.dfranke.us>
In-Reply-To: <87zjz1gtkm.fsf@wolfjaw.dfranke.us>
Date: Mon, 18 Feb 2013 14:52:55 -0800
Organization: NuovoDoc
Message-ID: <000901ce0e2a$b1f371e0$15da55a0$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwFyLWM2mBOiklA=
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

Good.

A cryptographically-random byte sequence or two would also be useful for
test vectors. 

My view is that PHS( ) should not interpret the sequence as any character
code whatsoever.  Nothing to mishandle.

 - Dennis 

-----Original Message-----
From: Daniel Franke [mailto:dfoxfranke@gmail.com] 
Sent: Monday, February 18, 2013 14:12
To: discussions@password-hashing.net
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

"Dennis E. Hamilton" <dennis.hamilton@acm.org> writes:

> The ASCII/non-ASCII about desirable test vectors suggest that being
> character set sensitive is permissible.

I don't think it suggests that at all.  The purpose of test vectors is
to check the correctness of implementations.  One plausible way to mess
up an otherwise-correct implementation is to mishandle inputs containing
non-ASCII characters. Therefore non-ASCII test vectors are desirable.

I would amend the recommendation by explicit calling for some test
vectors containing embedded null bytes.


From solar@openwall.com  Lun fÃ©v 18 22:54:31 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10507 invoked by uid 89); 18 Feb 2013 22:54:31 -0000
Received: by simscan 1.4.0 ppid: 10501, pid: 10503, t: 0.3354s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 22:54:30 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 18106 invoked from network); 18 Feb 2013 22:54:30 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2013 22:54:30 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 8ABE06FB04; Tue, 19 Feb 2013 02:54:27 +0400 (MSK)
Date: Tue, 19 Feb 2013 02:54:27 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130218225427.GB20985@openwall.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <87zjz1gtkm.fsf@wolfjaw.dfranke.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87zjz1gtkm.fsf@wolfjaw.dfranke.us>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 05:12:25PM -0500, Daniel Franke wrote:
> I would amend the recommendation by explicit calling for some test
> vectors containing embedded null bytes.

Note that some of the submissions will be intended for implementation
in scripting languages, whereas the C implementation of them will be to
fit the PHC terms (allow for uniform testing of all submissions, etc.),
as well as to ensure correctness of the scripts (e.g., I made a C
implementation of phpass "portable" hashes for that very reason).

Yes, PHS() is defined to accept inlen, but in many scripting languages
and in many other APIs NULs may be problematic anyway.

Should PHS() support embedded NULs even when the password hashing
scheme's primary implementation - one intended for actual use - does not
support embedded NULs?  Well, perhaps it should...

Alexander

From solar@openwall.com  Lun fÃ©v 18 23:00:39 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 11044 invoked by uid 89); 18 Feb 2013 23:00:38 -0000
Received: by simscan 1.4.0 ppid: 11038, pid: 11040, t: 0.3091s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 23:00:38 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 21989 invoked from network); 18 Feb 2013 23:00:38 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2013 23:00:38 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 2A4AE6FB04; Tue, 19 Feb 2013 03:00:35 +0400 (MSK)
Date: Tue, 19 Feb 2013 03:00:35 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130218230035.GC20985@openwall.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000101ce0e23$af8f9570$0eaec050$@acm.org>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 02:02:45PM -0800, Dennis E. Hamilton wrote:
> The ASCII/non-ASCII about desirable test vectors suggest that being character set sensitive is permissible.

The "Call for submissions" talks about "bytes" in all places except for
this one:

"Comprehensive set of test vectors (preferably including non-ASCII
characters)."

Perhaps this should be changed to:

"Comprehensive set of test vectors (preferably including all byte values
in the 0 to 0xFF range for both the password and the salt inputs)."

Yes, if this "preference" is followed, this implies that we'll have at
least 256 bytes worth of data for each input (across all test vectors).

I think we don't want to get into the complicated issues with
"characters" here.  "Characters" may use different encodings, may be
multi-byte, may vary in endianness, etc.  In PHS(), we deal with bytes.

Alexander

From solar@openwall.com  Lun fÃ©v 18 23:27:03 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 12595 invoked by uid 89); 18 Feb 2013 23:27:03 -0000
Received: by simscan 1.4.0 ppid: 12589, pid: 12591, t: 0.3941s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 23:27:02 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 29721 invoked from network); 18 Feb 2013 23:27:02 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2013 23:27:02 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 15CE96FB04; Tue, 19 Feb 2013 03:27:00 +0400 (MSK)
Date: Tue, 19 Feb 2013 03:27:00 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130218232700.GA21098@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Mon, Feb 18, 2013 at 09:54:01AM +0100, Patrick Mylund Nielsen wrote:
> Except this is not what happens today.

Oh, the wonders of top-posting.  I can't even comment on that paragraph
because it is unclear what exactly you were referring to. ;-)

> What does happen, and what absolutely hurts the most, is when somebody gets
> a hold of your entire database of (weak) digests and cracks them on their
> own or dumps them in a pastebin, e.g. without the usernames. The PHC
> schemes, IMHO, really need to be resistant to this.

Yes, PHC is precisely about coming up with password hashing schemes that
mitigate offline attacks.

> We _already have_
> effective ways to resist online attacks--exponential backoff, bans, even
> captchas...

Actually, dealing with online attacks is not always that easy - in
particular, if we consider that some may target password reuse from
other sites.  Some large sites are having a hard time dealing with
online attacks:

http://lists.openwall.net/full-disclosure/2012/05/17/11
https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf
https://speakerdeck.com/u/duosec/p/mike-hearn-at-ripe-64-abuse-at-scale

It's just beyond scope of PHC.

> To give an example: Blizzard Entertainment got a huge level of flak from
> the tech, and even the crypto, communities for using SRP when their
> verifiers were compromised, as people realized that SRP protects against
> MITM attacks, not offline attacks:
> http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/

Sure.  SRP does not solve the problem that we're trying to focus on here.

> IMHO, it is a more useful exercise to think about leveraging clients, e.g.
> for key derivation,

It is OK to discuss this in PHC context, but how does it affect the
actual PHC submissions?  Well, scalability (via the cost settings) to
mobile devices is relevant, and it may contribute to us choosing one
password hashing scheme over another as a winner.  However, in order to
actually do the hashing on the client, a suitable protocol would need to
be used.  (And the security offered by that will vary across protocols,
as well as across actual implementations, both client- and server-side.)
I feel that as it relates to PHC winner selection, only the password
hashing scheme scalability aspect is relevant.

> than more secrets on the server side. The servers will be compromised.

This is a simplistic/idealistic view.  We're dealing with a problem
where we don't have the luxury of possibly arriving at a perfect
solution anyway.  Why should we discard other imperfect security
measures, then?

A password hashing scheme that is more costly for an attacker to compute
will result in that attacker cracking fewer passwords.  Similarly, a
password hashing implementation with a secret local parameter will
result in some attackers ending up with hashes, but not the local
parameter value.  In either case, the overall number of passwords
getting cracked - across multiple sites and attackers - is reduced.
Thus, support for a secret local parameter is in line with the goals of
PHC.

Now, one can argue that a local parameter stored in the exact same place
with the hashes is useless, and I agree - in cases where it's just an
implementation obscurity, the false sense of security aspect may
outweigh the arguable advantage of some attackers naively missing the
local parameter.  However, there are also cases where it won't be stored
in the exact same place, and a subset of reasonable attacks will likely
get to the hashes, but not to the local parameter value.  In PHC, we're
merely providing password hashing schemes that are usable with a local
parameter.  We do not control whether such uses will be reasonable or
not.  Yet discouraging such uses in general just because some are
unreasonable is not necessarily good.

Thus, the wording of in the call for submissions: a secret local
parameter is allowed as an optional input, but its support is not
required from PHC submissions.  It's then up to each individual
submissions' authors to include this functionality or not, according to
their beliefs, ease of inclusion of an extra parameter within their
design, etc.  I think this is how it should be.

Alexander

From solar@openwall.com  Lun fÃ©v 18 23:35:48 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 13206 invoked by uid 89); 18 Feb 2013 23:35:47 -0000
Received: by simscan 1.4.0 ppid: 13200, pid: 13202, t: 0.2767s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 23:35:47 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 32126 invoked from network); 18 Feb 2013 23:35:46 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2013 23:35:46 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 1A0896FB04; Tue, 19 Feb 2013 03:35:44 +0400 (MSK)
Date: Tue, 19 Feb 2013 03:35:44 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130218233544.GB21098@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <5121A295.2030601@bindshell.nl> <87d2vyi70f.fsf@wolfjaw.dfranke.us> <5121B661.3060208@bindshell.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5121B661.3060208@bindshell.nl>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Sun, Feb 17, 2013 at 09:04:33PM -0800, Jeremi Gosney wrote:
> On 2/17/2013 8:24 PM, Daniel Franke wrote:
> > If the attacker can obtain a shell under the same uid as the webapp
> > process and go undetected for a while, then he can ptrace the webapp and
> > see the passwords as they're being passed into the hashing function.
> 
> It does not work this way anymore. At least not on modern Linux
> distributions that enable the Yama LSM, which I'm pretty sure all
> distributers started doing ~ 3 years back.

This is wishful thinking.  I'm only aware of Ubuntu doing it.

Alexander

From patrick@patrickmn.com  Lun fÃ©v 18 23:38:33 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 13415 invoked by uid 89); 18 Feb 2013 23:38:33 -0000
Received: by simscan 1.4.0 ppid: 13409, pid: 13411, t: 0.8455s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wi0-f179.google.com) (209.85.212.179)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 23:38:32 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.179 as permitted sender)
Received: by mail-wi0-f179.google.com with SMTP id ez12so4181130wid.6
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 15:38:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=r7KfUc+2Jjl3RaNqKyRUwtsGVGPx4NdwVjIdDR6z0NE=;
        b=FIQ8/32xn8VDWeOa5lMH+Kuf51Z5Amgp9Vu25snCelGbnVIfqTweJ/Hi4ck/6fMoiL
         r3+VfPSTbdD1W3U6heEz2+CzK+yYpXIELvtWO2gsjZB0ZLb7Bvgdswl25gvHOsbuGoo1
         D0K4rZP5xXKIaTG+gQD2Ig+VUzdcEiuXa6bRw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type:x-gm-message-state;
        bh=r7KfUc+2Jjl3RaNqKyRUwtsGVGPx4NdwVjIdDR6z0NE=;
        b=K59mPSyLDzzm6q6r7B/CKIbNRLMWZyH1bmi8dESsVtu17LFq9ID+dyNw4SCsm1BV0I
         iefkbmX4TNobKLBzINegsCQs9/AJzkSvnTH+SprZRg7TJspH1y24zZWDXrVUOLLcuYQf
         wrhNXaUi8tLaDKoAKK0iUkuB5PgA7s+4gKBs1YvLbA30nSgXKA34Q1heYFj+yZZ+D3GN
         ommEklQhScvUnDSUVmaVC/WeVixv6VF4vOpFfrUJKzTtBTmC2kMmDCk+bMgtDOsI6MpE
         f5huzriWBC2anSaoSNMvh0agxAAW6D60pV+cMdZsGgEPgMr1ETlpXMQMUNHDi9tVDl+v
         gWbQ==
MIME-Version: 1.0
X-Received: by 10.194.103.163 with SMTP id fx3mr22504026wjb.58.1361230711861;
 Mon, 18 Feb 2013 15:38:31 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 15:38:31 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <20130218232700.GA21098@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<87txpaii2q.fsf@wolfjaw.dfranke.us>
	<CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
	<20130218232700.GA21098@openwall.com>
Date: Tue, 19 Feb 2013 00:38:31 +0100
Message-ID: <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=089e010d84ec09b26704d608391b
X-Gm-Message-State: ALoCoQlMLbwl0lr3DpJMol431HbCFLg6KBkhj8R3pm0Iba7jG4tx9UfGwBMBBYnIyXRw7Mu4GGAc
Subject: Re: [PHC] Any "large verifiers" on the panel?

--089e010d84ec09b26704d608391b
Content-Type: text/plain; charset=UTF-8

> Oh, the wonders of top-posting.  I can't even comment on that paragraph because
it is unclear what exactly you were referring to. ;-)

That attackers are compromising servers and sniffing passwords over the
wire, waiting for re-authentications, rather than just grabbing the
database.

> Actually, dealing with online attacks is not always that easy - in particular,
if we consider that some may target password reuse from other sites.

Sure, but if you actually get the username and password right, the PHC
can't protect you anyway. My point was that it should not be the focus of
the PHC to be resistant to online (slow) attacks since that is not where
we're hurting the most, currently.

> Now, one can argue that a local parameter stored in the exact same place with
the hashes is useless, and I agree - in cases where it's just an implementation
obscurity, the false sense of security aspect may outweigh the arguable
advantage of some attackers naively missing the local parameter.
...
> Thus, the wording of in the call for submissions: a secret local parameter
is allowed as an optional input, but its support is not required from PHC
submissions.  It's then up to each individual submissions' authors to
include this functionality or not, according to their beliefs, ease of
inclusion of an extra parameter within their design, etc.  I think this is
how it should be.

This is the point I was trying to get across: It wouldn't hurt to be able
to strengthen the construction somehow by using a secret that is stored
elsewhere, but the security of the algorithm should not be contingent upon
it.

> This is a simplistic/idealistic view.  We're dealing with a problem where
we don't have the luxury of possibly arriving at a perfect solution anyway.
 Why should we discard other imperfect security measures, then?

I'm not sure if I was unclear here: PHC needs to resist offline attacks
since we can assume that the database of verifiers/digests will be
compromised at some point. I don't think this is simplistic/ideal, just
realistic.



On Tue, Feb 19, 2013 at 12:27 AM, Solar Designer <solar@openwall.com> wrote:

> On Mon, Feb 18, 2013 at 09:54:01AM +0100, Patrick Mylund Nielsen wrote:
> > Except this is not what happens today.
>
> Oh, the wonders of top-posting.  I can't even comment on that paragraph
> because it is unclear what exactly you were referring to. ;-)
>
> > What does happen, and what absolutely hurts the most, is when somebody
> gets
> > a hold of your entire database of (weak) digests and cracks them on their
> > own or dumps them in a pastebin, e.g. without the usernames. The PHC
> > schemes, IMHO, really need to be resistant to this.
>
> Yes, PHC is precisely about coming up with password hashing schemes that
> mitigate offline attacks.
>
> > We _already have_
> > effective ways to resist online attacks--exponential backoff, bans, even
> > captchas...
>
> Actually, dealing with online attacks is not always that easy - in
> particular, if we consider that some may target password reuse from
> other sites.  Some large sites are having a hard time dealing with
> online attacks:
>
> http://lists.openwall.net/full-disclosure/2012/05/17/11
> https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf
> https://speakerdeck.com/u/duosec/p/mike-hearn-at-ripe-64-abuse-at-scale
>
> It's just beyond scope of PHC.
>
> > To give an example: Blizzard Entertainment got a huge level of flak from
> > the tech, and even the crypto, communities for using SRP when their
> > verifiers were compromised, as people realized that SRP protects against
> > MITM attacks, not offline attacks:
> >
> http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/
>
> Sure.  SRP does not solve the problem that we're trying to focus on here.
>
> > IMHO, it is a more useful exercise to think about leveraging clients,
> e.g.
> > for key derivation,
>
> It is OK to discuss this in PHC context, but how does it affect the
> actual PHC submissions?  Well, scalability (via the cost settings) to
> mobile devices is relevant, and it may contribute to us choosing one
> password hashing scheme over another as a winner.  However, in order to
> actually do the hashing on the client, a suitable protocol would need to
> be used.  (And the security offered by that will vary across protocols,
> as well as across actual implementations, both client- and server-side.)
> I feel that as it relates to PHC winner selection, only the password
> hashing scheme scalability aspect is relevant.
>
> > than more secrets on the server side. The servers will be compromised.
>
> This is a simplistic/idealistic view.  We're dealing with a problem
> where we don't have the luxury of possibly arriving at a perfect
> solution anyway.  Why should we discard other imperfect security
> measures, then?
>
> A password hashing scheme that is more costly for an attacker to compute
> will result in that attacker cracking fewer passwords.  Similarly, a
> password hashing implementation with a secret local parameter will
> result in some attackers ending up with hashes, but not the local
> parameter value.  In either case, the overall number of passwords
> getting cracked - across multiple sites and attackers - is reduced.
> Thus, support for a secret local parameter is in line with the goals of
> PHC.
>
> Now, one can argue that a local parameter stored in the exact same place
> with the hashes is useless, and I agree - in cases where it's just an
> implementation obscurity, the false sense of security aspect may
> outweigh the arguable advantage of some attackers naively missing the
> local parameter.  However, there are also cases where it won't be stored
> in the exact same place, and a subset of reasonable attacks will likely
> get to the hashes, but not to the local parameter value.  In PHC, we're
> merely providing password hashing schemes that are usable with a local
> parameter.  We do not control whether such uses will be reasonable or
> not.  Yet discouraging such uses in general just because some are
> unreasonable is not necessarily good.
>
> Thus, the wording of in the call for submissions: a secret local
> parameter is allowed as an optional input, but its support is not
> required from PHC submissions.  It's then up to each individual
> submissions' authors to include this functionality or not, according to
> their beliefs, ease of inclusion of an extra parameter within their
> design, etc.  I think this is how it should be.
>
> Alexander
>

--089e010d84ec09b26704d608391b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">&gt;=C2=A0<span style=3D"font-family:arial,sans-serif;font=
-size:13px">Oh, the wonders of top-posting. =C2=A0I can&#39;t even comment =
on that paragraph=C2=A0</span><span style=3D"font-family:arial,sans-serif;f=
ont-size:13px">because it is unclear what exactly you were referring to. ;-=
)</span><div>
<span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span></di=
v><div style><span style=3D"font-family:arial,sans-serif;font-size:13px">Th=
at attackers are compromising servers and sniffing passwords over the wire,=
 waiting for re-authentications, rather than just grabbing the database.</s=
pan></div>
<div style><div><br></div><div>&gt;=C2=A0<span style=3D"font-family:arial,s=
ans-serif;font-size:13px">Actually, dealing with online attacks is not alwa=
ys that easy - in=C2=A0</span><span style=3D"font-family:arial,sans-serif;f=
ont-size:13px">particular, if we consider that some may target password reu=
se from=C2=A0</span><span style=3D"font-family:arial,sans-serif;font-size:1=
3px">other sites.</span></div>
<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span=
></div><div style><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">Sure, but if you actually get the username and password right, the PHC c=
an&#39;t protect you anyway. My point was that it should not be the focus o=
f the PHC to be resistant to online (slow) attacks since that is not where =
we&#39;re hurting the most, currently.</span></div>
<div><font face=3D"arial, sans-serif"><br></font></div><div><font face=3D"a=
rial, sans-serif">&gt; Now, one can argue that a local parameter stored in =
the exact same place=C2=A0</font><span style=3D"font-family:arial,sans-seri=
f">with the hashes is useless, and I agree - in cases where it&#39;s just a=
n=C2=A0</span><span style=3D"font-family:arial,sans-serif">implementation o=
bscurity, the false sense of security aspect may=C2=A0</span><span style=3D=
"font-family:arial,sans-serif">outweigh the arguable advantage of some atta=
ckers naively missing the=C2=A0</span><span style=3D"font-family:arial,sans=
-serif">local parameter.</span></div>
<div><span style=3D"font-family:arial,sans-serif">...</span><br></div><div>=
<span style=3D"font-family:arial,sans-serif">&gt;=C2=A0</span><span style=
=3D"font-family:arial,sans-serif;font-size:13px">Thus, the wording of in th=
e call for submissions: a secret local=C2=A0</span><span style=3D"font-fami=
ly:arial,sans-serif;font-size:13px">parameter is allowed as an optional inp=
ut, but its support is not=C2=A0</span><span style=3D"font-family:arial,san=
s-serif;font-size:13px">required from PHC submissions. =C2=A0It&#39;s then =
up to each individual=C2=A0</span><span style=3D"font-family:arial,sans-ser=
if;font-size:13px">submissions&#39; authors to include this functionality o=
r not, according to=C2=A0</span><span style=3D"font-family:arial,sans-serif=
;font-size:13px">their beliefs, ease of inclusion of an extra parameter wit=
hin their=C2=A0</span><span style=3D"font-family:arial,sans-serif;font-size=
:13px">design, etc. =C2=A0I think this is how it should be.</span></div>
<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span=
></div><div style><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">This is the point I was trying to get across: It wouldn&#39;t hurt to be=
 able to strengthen the construction somehow by using a secret that is stor=
ed elsewhere, but the security of the algorithm should not be contingent up=
on it.=C2=A0</span></div>
<div><span style=3D"font-family:arial,sans-serif"><br></span></div><div><sp=
an style=3D"font-family:arial,sans-serif"><div>&gt; This is a simplistic/id=
ealistic view. =C2=A0We&#39;re dealing with a problem where we don&#39;t ha=
ve the luxury of possibly arriving at a perfect solution anyway. =C2=A0Why =
should we discard other imperfect security measures, then?</div>
<div><br></div><div style>I&#39;m not sure if I was unclear here: PHC needs=
 to resist offline attacks since we can assume that the database of verifie=
rs/digests will be compromised at some point. I don&#39;t think this is sim=
plistic/ideal, just realistic.=C2=A0</div>
</span></div></div><div style><span style=3D"font-family:arial,sans-serif;f=
ont-size:13px"><br></span></div></div><div class=3D"gmail_extra"><br><br><d=
iv class=3D"gmail_quote">On Tue, Feb 19, 2013 at 12:27 AM, Solar Designer <=
span dir=3D"ltr">&lt;<a href=3D"mailto:solar@openwall.com" target=3D"_blank=
">solar@openwall.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Mon, Feb 18, 2013 at 09=
:54:01AM +0100, Patrick Mylund Nielsen wrote:<br>
&gt; Except this is not what happens today.<br>
<br>
</div>Oh, the wonders of top-posting. =C2=A0I can&#39;t even comment on tha=
t paragraph<br>
because it is unclear what exactly you were referring to. ;-)<br>
<div class=3D"im"><br>
&gt; What does happen, and what absolutely hurts the most, is when somebody=
 gets<br>
&gt; a hold of your entire database of (weak) digests and cracks them on th=
eir<br>
&gt; own or dumps them in a pastebin, e.g. without the usernames. The PHC<b=
r>
&gt; schemes, IMHO, really need to be resistant to this.<br>
<br>
</div>Yes, PHC is precisely about coming up with password hashing schemes t=
hat<br>
mitigate offline attacks.<br>
<div class=3D"im"><br>
&gt; We _already have_<br>
&gt; effective ways to resist online attacks--exponential backoff, bans, ev=
en<br>
&gt; captchas...<br>
<br>
</div>Actually, dealing with online attacks is not always that easy - in<br=
>
particular, if we consider that some may target password reuse from<br>
other sites. =C2=A0Some large sites are having a hard time dealing with<br>
online attacks:<br>
<br>
<a href=3D"http://lists.openwall.net/full-disclosure/2012/05/17/11" target=
=3D"_blank">http://lists.openwall.net/full-disclosure/2012/05/17/11</a><br>
<a href=3D"https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf" targe=
t=3D"_blank">https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf</a><=
br>
<a href=3D"https://speakerdeck.com/u/duosec/p/mike-hearn-at-ripe-64-abuse-a=
t-scale" target=3D"_blank">https://speakerdeck.com/u/duosec/p/mike-hearn-at=
-ripe-64-abuse-at-scale</a><br>
<br>
It&#39;s just beyond scope of PHC.<br>
<div class=3D"im"><br>
&gt; To give an example: Blizzard Entertainment got a huge level of flak fr=
om<br>
&gt; the tech, and even the crypto, communities for using SRP when their<br=
>
&gt; verifiers were compromised, as people realized that SRP protects again=
st<br>
&gt; MITM attacks, not offline attacks:<br>
&gt; <a href=3D"http://arstechnica.com/security/2012/08/hacked-blizzard-pas=
swords-not-hard-to-crack/" target=3D"_blank">http://arstechnica.com/securit=
y/2012/08/hacked-blizzard-passwords-not-hard-to-crack/</a><br>
<br>
</div>Sure. =C2=A0SRP does not solve the problem that we&#39;re trying to f=
ocus on here.<br>
<div class=3D"im"><br>
&gt; IMHO, it is a more useful exercise to think about leveraging clients, =
e.g.<br>
&gt; for key derivation,<br>
<br>
</div>It is OK to discuss this in PHC context, but how does it affect the<b=
r>
actual PHC submissions? =C2=A0Well, scalability (via the cost settings) to<=
br>
mobile devices is relevant, and it may contribute to us choosing one<br>
password hashing scheme over another as a winner. =C2=A0However, in order t=
o<br>
actually do the hashing on the client, a suitable protocol would need to<br=
>
be used. =C2=A0(And the security offered by that will vary across protocols=
,<br>
as well as across actual implementations, both client- and server-side.)<br=
>
I feel that as it relates to PHC winner selection, only the password<br>
hashing scheme scalability aspect is relevant.<br>
<div class=3D"im"><br>
&gt; than more secrets on the server side. The servers will be compromised.=
<br>
<br>
</div>This is a simplistic/idealistic view. =C2=A0We&#39;re dealing with a =
problem<br>
where we don&#39;t have the luxury of possibly arriving at a perfect<br>
solution anyway. =C2=A0Why should we discard other imperfect security<br>
measures, then?<br>
<br>
A password hashing scheme that is more costly for an attacker to compute<br=
>
will result in that attacker cracking fewer passwords. =C2=A0Similarly, a<b=
r>
password hashing implementation with a secret local parameter will<br>
result in some attackers ending up with hashes, but not the local<br>
parameter value. =C2=A0In either case, the overall number of passwords<br>
getting cracked - across multiple sites and attackers - is reduced.<br>
Thus, support for a secret local parameter is in line with the goals of<br>
PHC.<br>
<br>
Now, one can argue that a local parameter stored in the exact same place<br=
>
with the hashes is useless, and I agree - in cases where it&#39;s just an<b=
r>
implementation obscurity, the false sense of security aspect may<br>
outweigh the arguable advantage of some attackers naively missing the<br>
local parameter. =C2=A0However, there are also cases where it won&#39;t be =
stored<br>
in the exact same place, and a subset of reasonable attacks will likely<br>
get to the hashes, but not to the local parameter value. =C2=A0In PHC, we&#=
39;re<br>
merely providing password hashing schemes that are usable with a local<br>
parameter. =C2=A0We do not control whether such uses will be reasonable or<=
br>
not. =C2=A0Yet discouraging such uses in general just because some are<br>
unreasonable is not necessarily good.<br>
<br>
Thus, the wording of in the call for submissions: a secret local<br>
parameter is allowed as an optional input, but its support is not<br>
required from PHC submissions. =C2=A0It&#39;s then up to each individual<br=
>
submissions&#39; authors to include this functionality or not, according to=
<br>
their beliefs, ease of inclusion of an extra parameter within their<br>
design, etc. =C2=A0I think this is how it should be.<br>
<br>
Alexander<br>
</blockquote></div><br></div>

--089e010d84ec09b26704d608391b--

From bascule@gmail.com  Lun fÃ©v 18 23:46:02 2013 +0000
Return-Path: <bascule@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 13980 invoked by uid 89); 18 Feb 2013 23:46:00 -0000
Received: by simscan 1.4.0 ppid: 13971, pid: 13973, t: 0.3086s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-ve0-f174.google.com) (209.85.128.174)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 23:46:00 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.128.174 as permitted sender)
Received: by mail-ve0-f174.google.com with SMTP id pb11so5392521veb.33
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 15:45:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:sender:from:date:x-google-sender-auth
         :message-id:subject:to:content-type;
        bh=YqdsZgrS2M7AxFTtTWJfREQ4EfvRpX/aZ+k3z7Pc3FQ=;
        b=odUJMunm7hlbE9WnbSHNv/7qV3nDKHUp76yG2d/A+2PfJJlzU2aA9VSLgtRDvmzS6K
         EqdqBB88J/HQLmZIPWp4L4yiZcm3f0RI4guATFvlN3XJJ/N8kCHjREW3Ta1VrqEKHZMF
         jDF5gvrnJ0uHhXSzShiOVng18KEA4pYnOsItfBl/ok47DeVUg4ZAW+TMftapkWcKdBO9
         8mTXFBmDUdilqDOJsoV11hu7BPieWUplKKMlLz3GbLVaslFm3RfdzfnWPT3y+XGeco7Q
         5GNPkomJV3GP8ki8LSZaG22gCCmqN7tO77p53PgOfxsLuFAqQoE41kroobvBBwsWDtgQ
         HJ1g==
X-Received: by 10.220.150.3 with SMTP id w3mr18012887vcv.37.1361231159152;
 Mon, 18 Feb 2013 15:45:59 -0800 (PST)
MIME-Version: 1.0
Sender: bascule@gmail.com
Received: by 10.58.251.71 with HTTP; Mon, 18 Feb 2013 15:45:39 -0800 (PST)
From: Tony Arcieri <tony.arcieri@gmail.com>
Date: Mon, 18 Feb 2013 15:45:39 -0800
X-Google-Sender-Auth: p8wiONa-phiXNCOkwbE1ikWXXSo
Message-ID: <CAHOTMVKpmm_VdsL7=0ocXMwgPTgK4S9VEW71FRRQdRZ-f-QB=A@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=f46d043894a5b2cea704d60853da
Subject: Password hashes as URIs

--f46d043894a5b2cea704d60853da
Content-Type: text/plain; charset=ISO-8859-1

There's been some work on an RFC for hashes-as-URIs:

http://tools.ietf.org/html/draft-farrell-decade-ni-10

I believe this has been discussed earlier, but I think one of the
interesting things this competition could also produce is a similar URI
scheme for storing password hashes: one that includes the algorithm name,
the hash, salt/nonce, and the algorithm-specific parameters.

A scheme like this could allow someone to have several different password
hashing schemes active at once (e.g. if they started with one scheme but
are lazily upgrading to another, newer scheme) and would also allow
interoperability between these libraries.

Yay? Nay?

-- 
Tony Arcieri

--f46d043894a5b2cea704d60853da
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">There&#39;s been some work on an RFC for hashes-as-URIs:<d=
iv><br></div><div><a href=3D"http://tools.ietf.org/html/draft-farrell-decad=
e-ni-10">http://tools.ietf.org/html/draft-farrell-decade-ni-10</a></div><di=
v>

<br></div><div>I believe this has been discussed earlier, but I think one o=
f the interesting things this competition could also produce is a similar U=
RI scheme for storing password hashes: one that includes the algorithm name=
, the hash, salt/nonce, and the algorithm-specific parameters.</div>

<div><br></div><div style>A scheme like this could allow someone to have se=
veral different password hashing schemes active at once (e.g. if they start=
ed with one scheme but are lazily upgrading to another, newer scheme) and w=
ould also allow interoperability between these libraries.</div>

<div><br></div><div>Yay? Nay?</div><div><div><br></div>-- <br>Tony Arcieri<=
br>
</div></div>

--f46d043894a5b2cea704d60853da--

From alec.muffett@gmail.com  Lun fÃ©v 18 23:50:08 2013 +0000
Return-Path: <alec.muffett@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 14273 invoked by uid 89); 18 Feb 2013 23:50:05 -0000
Received: by simscan 1.4.0 ppid: 14266, pid: 14269, t: 0.2371s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wi0-f169.google.com) (209.85.212.169)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 18 Feb 2013 23:50:05 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.169 as permitted sender)
Received: by mail-wi0-f169.google.com with SMTP id l13so4407827wie.0
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 15:50:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=g64g+PBtkfOF/emW1vTY/PuPwhmAF7zlTu++fxcOl/s=;
        b=UdvV7bFSf0Btr1oERobSWv2noTBrjTMHziSXnclK9rDg7zJgsplHucpHDeBJgYeISZ
         MzhcKpxHbfFAcZ4cQH9TYhiQbvvtLoRL9upKVT9FBkiuYLi6P3wilXrqG9J35vF7oRwh
         NIFMnCJRgqZzoz/KcV0qSwtHlITM0dzMtBXEMgGNsZGNKObfydwgDzZIBBJX2gaZWYL6
         cQ+O14KjCjR71PiU84k9fVdav3a+LC9ubzkh7K0gpBGtPrRhhgVrXjLmyQuka//1v7od
         FSAjJRs9df1Z9vc3aau/zl69TEq/2YilD/69EMD0HVgtfY62sxZuESCUmDn+TBQTUKbs
         D0Fg==
MIME-Version: 1.0
X-Received: by 10.194.19.97 with SMTP id d1mr22374828wje.52.1361231405039;
 Mon, 18 Feb 2013 15:50:05 -0800 (PST)
Received: by 10.194.75.167 with HTTP; Mon, 18 Feb 2013 15:50:04 -0800 (PST)
Received: by 10.194.75.167 with HTTP; Mon, 18 Feb 2013 15:50:04 -0800 (PST)
In-Reply-To: <CAHOTMVKpmm_VdsL7=0ocXMwgPTgK4S9VEW71FRRQdRZ-f-QB=A@mail.gmail.com>
References: <CAHOTMVKpmm_VdsL7=0ocXMwgPTgK4S9VEW71FRRQdRZ-f-QB=A@mail.gmail.com>
Date: Mon, 18 Feb 2013 23:50:04 +0000
Message-ID: <CAFWeb9KdgurSDmZEcZfDw-EuWP_t8=Jtqwistw-LKGJaq4fmGg@mail.gmail.com>
From: Alec Muffett <alec.muffett@gmail.com>
To: discussions@password-hashing.net
Content-Type: multipart/alternative; boundary=047d7b5d9a6d5ac0f304d60862bd
Subject: Re: [PHC] Password hashes as URIs

--047d7b5d9a6d5ac0f304d60862bd
Content-Type: text/plain; charset=ISO-8859-1

Google for 'Pluggable Crypt' ... Am on a train now but will try to relate
some experiences when I next get a proper mail client

--047d7b5d9a6d5ac0f304d60862bd
Content-Type: text/html; charset=ISO-8859-1

<p>Google for &#39;Pluggable Crypt&#39; ... Am on a train now but will try to relate some experiences when I next get a proper mail client </p>

--047d7b5d9a6d5ac0f304d60862bd--

From bugbee@mac.com  Lun fÃ©v 18 23:57:25 2013 +0000
Return-Path: <bugbee@mac.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 14628 invoked by uid 89); 18 Feb 2013 23:57:24 -0000
Received: by simscan 1.4.0 ppid: 14622, pid: 14624, t: 0.4860s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO nk11p03mm-asmtp002.mac.com) (17.158.232.237)
  by qmailtoaster.cryptyx.com with SMTP; 18 Feb 2013 23:57:24 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at mac.com designates 17.158.232.237 as permitted sender)
Received: from [192.168.1.105] ([76.104.203.117]) by nk11p03mm-asmtp002.mac.com
 (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul
 13 2012)) with ESMTPSA id <0MIF006JCX7LASA0@nk11p03mm-asmtp002.mac.com> for
 discussions@password-hashing.net; Mon, 18 Feb 2013 23:57:23 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.9.8327,1.0.431,0.0.0000
 definitions=2013-02-18_05:2013-02-18,2013-02-18,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 ipscore=0 suspectscore=1 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001
 definitions=main-1302180272
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Larry Bugbee <bugbee@mac.com>
In-reply-to: <20130218230035.GC20985@openwall.com>
Date: Mon, 18 Feb 2013 15:57:21 -0800
Content-transfer-encoding: quoted-printable
Message-id: <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
 <20130218230035.GC20985@openwall.com>
To: discussions@password-hashing.net
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> wrote:
> In PHS(), we deal with bytes.

+1

...and said bytes/byte strings/byte arrays should be specified to be in =
network byte order.



From solar@openwall.com  Mar fÃ©v 19 00:06:30 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 15223 invoked by uid 89); 19 Feb 2013 00:06:30 -0000
Received: by simscan 1.4.0 ppid: 15217, pid: 15219, t: 0.3449s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 00:06:29 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 13316 invoked from network); 19 Feb 2013 00:06:29 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 00:06:29 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 7334A6FB04; Tue, 19 Feb 2013 04:06:25 +0400 (MSK)
Date: Tue, 19 Feb 2013 04:06:25 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219000625.GC21098@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87txpaii2q.fsf@wolfjaw.dfranke.us>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Sun, Feb 17, 2013 at 07:25:33PM -0500, Daniel Franke wrote:
> Jeremi Gosney <epixoip@bindshell.nl> writes:
> 
> > You have to assume that if the passwords are compromised, the
> > encryption key is as well.
> 
> I'm with all those who say that we shouldn't be granting this
> assumption.

I'd say it may be useful to grant or not grant this assumption in
different contexts.  Of course, we have to assume that our encryption
key or secret local parameter has been compromised when we design the
rest of our password hashing scheme.  If we don't make that assumption,
there's nothing else for us to do - "hey, the passwords are encrypted
and the key is not compromised, why hash them, let alone spend much CPU
and RAM on that?" - that's wrong, indeed.  We may want to have defense
in depth.  Our last resort defense - the costly hashing - is non-perfect
when we're dealing with low entropy passwords.  So we may reasonably use
another non-perfect layer of security, and yes it's non-perfect in
different ways.  In this context, we need to assume that the secret
key/parameter may or may not have been compromised, and we should design
our password hashing scheme (and the rest of the system, but that's not
PHC material) such that it's reasonable in either case.

> An adversary who has completely compromised a web server
> doesn't have to bother cracking password hashes at all.

This is not true.  Here are some good reasons why they may want to crack
the hashes anyway:

1. Persistence, without having to introduce changes into the system
(which may be spotted and undone by the defender).  The initial
vulnerability may be patched, and the backdoors may be removed or be
unsuitable to be installed, so the intruder will use real users'
passwords to continue getting into the system.

2. The accounts may be of value (for resale, for direct use by the
attacker, for indirect use of the information by the attacker).  In some
cases, this is (more conveniently) available via the passworded logins
(e.g., to sell 1 million accounts on a certain service to spammers).

3. Password reuse on other systems or sites.  The cracked passwords may
allow the attacker - or different attackers - to get into more accounts
of the same people.

4. Research (and not necessarily for sharing it with the "good guys"):
building of common password lists, character frequency statistics, etc.,
including specific to a target organization, a common password policy, a
password generator, etc.  This can help compromise more systems that are
in some way similar.

> He can just capture unhashed passwords as they arrive over the wire.

With a complete compromise, yes, but only for the duration of the
compromise.  That's a subset of all accounts.

> If we aren't
> completely wasting our time having this competition, then we should
> absolutely be thinking about what constitutes a realistic model of
> common partial-compromise scenarios, and what features we can add to a
> password-hashing scheme in order to make it more secure in that model.

As we've just seen, there's some difference of opinion in what's common,
so I suggest that we let PHC submission authors decide whether they want
to include the optional extras or not (this will also depend on how
difficult or easy it is for them to do that in a given case, which will
vary).  We won't be wasting our time even if we only get basic password
hashing schemes with no optional inputs, nor if we get password hashing
schemes with optional inputs.  This is not the most important aspect.

Of course, what's actually common is not a matter of opinion, but we
lack the statistics.  Besides, until the use of local parameters to
password hashing schemes becomes more common, we can't expect their
compromises to be common (or not).  We're simply not there yet.

Alexander

From bascule@gmail.com  Mar fÃ©v 19 00:08:31 2013 +0000
Return-Path: <bascule@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 15383 invoked by uid 89); 19 Feb 2013 00:08:31 -0000
Received: by simscan 1.4.0 ppid: 15375, pid: 15379, t: 0.2886s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE,
	SARE_MILLIONSOF autolearn=no version=3.2.5
Received: from unknown (HELO mail-vb0-f48.google.com) (209.85.212.48)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 00:08:31 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.48 as permitted sender)
Received: by mail-vb0-f48.google.com with SMTP id fc21so3884228vbb.35
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 16:08:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=geR6kzJJdIda+ErN1PQYuJAWGS4GoRa4B7KbFURgdjA=;
        b=TtEr0Ld3ZHi0wAZ4RpneQmh59PHZerriiBk7CN4jg6DyPDXlBE0I2YyCR/Vv1uXd62
         RfgKua0wBNbAr2zyM5buNIVaVLyhL9wBaZEvJvblInGqZ2HMmR126N8P3NWr9NKnDFmb
         hffcG2FJdK4NCKQ1WyS3kJNH65iPJkgHn3aa3IZdtLyNg7IBg2fLNPITVLQS9jsXlrt9
         g0S5MVX9r8spFiIF9vF5hqZWRwimebObiKQH+gJpnwuY2NjDlyZ4Du9Zn2Vixr0gjxte
         VTzdyL6SccLZVmeuDBZhWX0rADl44f3Dm0r//63dTOUCA/C2iR06pbVXtilRIPRnEl4p
         olcw==
X-Received: by 10.58.233.210 with SMTP id ty18mr18272212vec.46.1361232509988;
 Mon, 18 Feb 2013 16:08:29 -0800 (PST)
MIME-Version: 1.0
Sender: bascule@gmail.com
Received: by 10.58.251.71 with HTTP; Mon, 18 Feb 2013 16:08:09 -0800 (PST)
In-Reply-To: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
From: Tony Arcieri <tony.arcieri@gmail.com>
Date: Mon, 18 Feb 2013 16:08:09 -0800
X-Google-Sender-Auth: zNohdkyoa9ueUcnpBVFjSICsNwY
Message-ID: <CAHOTMVLfyLTEojpDw-YHOPdTUy+srwR8=+F9xLB3ZCL3CDVxCA@mail.gmail.com>
To: Jeffrey Goldberg <Jeffrey@goldmark.org>
Cc: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=089e0102ee7c36ef3c04d608a44d
Subject: Re: [PHC] Any "large verifiers" on the panel?

--089e0102ee7c36ef3c04d608a44d
Content-Type: text/plain; charset=ISO-8859-1

On Sat, Feb 16, 2013 at 7:59 AM, Jeffrey Goldberg <Jeffrey@goldmark.org>wrote:

> I'm not familiar with everyone on the panel, but I think it would be
> useful to have someone with an understanding of having to deal with a large
> number of legitimate authentication sessions.  Someone who, say, manages
> Gmail logins (IMAP, web, etc) may have insight into what sorts of cost
> parameters they would like to have.


I'm on the panel, and work for LivingSocial. We certainly aren't "Google
Scale" but we handle millions of logins a day for tens of millions of users.

-- 
Tony Arcieri

--089e0102ee7c36ef3c04d608a44d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Sat, Feb 16, 2013 at 7:59 AM, Jeffrey Goldberg <span di=
r=3D"ltr">&lt;<a href=3D"mailto:Jeffrey@goldmark.org" target=3D"_blank" onc=
lick=3D"window.open(&#39;https://mail.google.com/mail/?view=3Dcm&amp;tf=3D1=
&amp;to=3DJeffrey@goldmark.org&amp;cc=3D&amp;bcc=3D&amp;su=3D&amp;body=3D&#=
39;,&#39;_blank&#39;);return false;">Jeffrey@goldmark.org</a>&gt;</span> wr=
ote:<br>

<div class=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote class=3D"=
gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-=
left:1ex">I&#39;m not familiar with everyone on the panel, but I think it w=
ould be useful to have someone with an understanding of having to deal with=
 a large number of legitimate authentication sessions. =A0Someone who, say,=
 manages Gmail logins (IMAP, web, etc) may have insight into what sorts of =
cost parameters they would like to have.</blockquote>

<div><br></div><div style>I&#39;m on the panel, and work for LivingSocial. =
We certainly aren&#39;t &quot;Google Scale&quot; but we handle millions of =
logins a day for tens of millions of users.</div></div><div><br></div>
-- <br>
Tony Arcieri<br>
</div></div>

--089e0102ee7c36ef3c04d608a44d--

From solar@openwall.com  Mar fÃ©v 19 00:19:45 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 16048 invoked by uid 89); 19 Feb 2013 00:19:45 -0000
Received: by simscan 1.4.0 ppid: 16042, pid: 16044, t: 0.3117s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 00:19:45 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 18006 invoked from network); 19 Feb 2013 00:19:44 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 00:19:44 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id D0CD66FB04; Tue, 19 Feb 2013 04:19:41 +0400 (MSK)
Date: Tue, 19 Feb 2013 04:19:41 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219001941.GA21498@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com> <20130218232700.GA21098@openwall.com> <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Tue, Feb 19, 2013 at 12:38:31AM +0100, Patrick Mylund Nielsen wrote:
> That attackers are compromising servers and sniffing passwords over the
> wire, waiting for re-authentications, rather than just grabbing the
> database.

Both of these things (and many others) are happening.  It is non-obvious
which is more common.

Alexander

From patrick@patrickmn.com  Mar fÃ©v 19 00:42:44 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 17256 invoked by uid 89); 19 Feb 2013 00:42:44 -0000
Received: by simscan 1.4.0 ppid: 17249, pid: 17252, t: 0.5817s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wg0-f41.google.com) (74.125.82.41)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 00:42:43 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.82.41 as permitted sender)
Received: by mail-wg0-f41.google.com with SMTP id ds1so3186773wgb.4
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 16:42:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=v/tIrIAgHtkOXALHGAKlQlRS8iErN17NyQ6Dxad30UE=;
        b=IUqiK8GNu13j6JtK+s/hclaSyVwFGL6uA3cwz1qd4bAn+/foQIaU+GvPN+S/t4keVg
         JiG1yTpBb51rlcr/DRanlV7hNAh2YMtiv3k2vOqIdk60RdSvBS4GOGt5G26/UxjJZaCE
         wru4DyCZc+wcCmzXl7PnxLR13QjjVB7wVrtt4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type:x-gm-message-state;
        bh=v/tIrIAgHtkOXALHGAKlQlRS8iErN17NyQ6Dxad30UE=;
        b=icXiTBy0RwBQ2oyzJfs45z7U9+5HFb/cKF7qtU5lXhPNCPRulGB2T/cC8H/82ytdtc
         O8zZWZHbbfYgV0LIgLvut+FWob2N4dnNJAFQM+LmI+kBzVI8Yz5v+nG7RB4HjqjGPL1u
         8dnv0lAy1PeVImLgNfZl+CiUXr5k9Q+odgnVfuSr24mUuJLFNNjgWrv/XT3dN3XB4pq8
         BBdss5fdrtOg0uJwwG5v1bU6VuP++WMxiuOXBZn//ghBPBowquTuBkKesE8wZKJMbAMl
         qX8au3uYndPZ/PAPHnRiF6JLi0eSBm9XbAdhAYRcBzfm4xGb8UNUdwGPN5yvWds3sh41
         5oEA==
MIME-Version: 1.0
X-Received: by 10.180.81.42 with SMTP id w10mr12297641wix.28.1361234563059;
 Mon, 18 Feb 2013 16:42:43 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 16:42:42 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<87txpaii2q.fsf@wolfjaw.dfranke.us>
	<CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
	<20130218232700.GA21098@openwall.com>
	<CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
Date: Tue, 19 Feb 2013 01:42:42 +0100
Message-ID: <CAEw2jfzsBkwuQHLKxXwSPyighUX0CTohZ3Qn=pqm7wm=99b36A@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=bcaec555503e964ff804d6091e21
X-Gm-Message-State: ALoCoQkxL8iTDvUDvwoEisKGHCvFZ3jO2d8iV5jb9nPSrbDrpziMJUtzZHm3K+RqPR2MVdfOITLz
Subject: Re: [PHC] Any "large verifiers" on the panel?

--bcaec555503e964ff804d6091e21
Content-Type: text/plain; charset=UTF-8

>> This is a simplistic/idealistic view.  We're dealing with a problem
where we don't have the luxury of possibly arriving at a perfect solution
anyway.  Why should we discard other imperfect security measures, then?

> I'm not sure if I was unclear here: PHC needs to resist offline attacks
since we can assume that the database of verifiers/digests will be
compromised at some point. I don't think this is simplistic/ideal, just
realistic.

Sorry, I do agree that it doesn't hurt to have e.g. a secret that is e.g.
on the disk instead of the database--I'm just worried that such secrets
would become central to the strength of the algorithm, i.e. developers rely
too much on the secret, and offline attacks become trivial if you have both
the secrets and the salts+digests. I didn't mean that it should be ignored,
but that I hope it is considered a "bonus" and not a condition for
security. Of course, if the latter happens, we will have gone full circle
if developers using bcrypt decide to switch to this faster construction,
but don't handle the secrets differently. (Consider that very few
production applications today actually have the kind of meaningful
separation this would require, sans maybe DB vs. disk--it's quite hard to
give some application access to both digests and a secret, and not grant an
attacker the same access if he compromises the machine it's on.)

At the end of the day, I think the point I'm trying to get across is:
Developers want libraries like py-bcrypt that they can import, run phc(pwd)
and save the result. If it uses another secret, they will put it in a
config file or hard-code it in the application without any special
ACL/privilege separation. Also, there is a good chance that vulnerabilities
on the machine or the network provides a way to access the files on the
machine, or at least the database containing the digests. If we make other
assumptions then we risk developers not using the construction over bcrypt
because it is too much work (a major contributor to why bcrypt is fairly
popular today vs. PBKDF2/scrypt for password authentication, IMHO), or
worse, hurting the end users more than they would have been if their
provider had used bcrypt. (Yeah, you could argue that "the developers
should have known better, and spent more time on it", or "The users should
have chosen stronger and unique passwords." Of course, that's not the world
we live in...)


On Tue, Feb 19, 2013 at 12:38 AM, Patrick Mylund Nielsen <
patrick@patrickmylund.com> wrote:

> > Oh, the wonders of top-posting.  I can't even comment on that paragraph because
> it is unclear what exactly you were referring to. ;-)
>
> That attackers are compromising servers and sniffing passwords over the
> wire, waiting for re-authentications, rather than just grabbing the
> database.
>
> > Actually, dealing with online attacks is not always that easy - in particular,
> if we consider that some may target password reuse from other sites.
>
> Sure, but if you actually get the username and password right, the PHC
> can't protect you anyway. My point was that it should not be the focus of
> the PHC to be resistant to online (slow) attacks since that is not where
> we're hurting the most, currently.
>
> > Now, one can argue that a local parameter stored in the exact same place with
> the hashes is useless, and I agree - in cases where it's just an implementation
> obscurity, the false sense of security aspect may outweigh the arguable
> advantage of some attackers naively missing the local parameter.
> ...
> > Thus, the wording of in the call for submissions: a secret local parameter
> is allowed as an optional input, but its support is not required from PHC
> submissions.  It's then up to each individual submissions' authors to
> include this functionality or not, according to their beliefs, ease of
> inclusion of an extra parameter within their design, etc.  I think this
> is how it should be.
>
> This is the point I was trying to get across: It wouldn't hurt to be able
> to strengthen the construction somehow by using a secret that is stored
> elsewhere, but the security of the algorithm should not be contingent upon
> it.
>
> > This is a simplistic/idealistic view.  We're dealing with a problem
> where we don't have the luxury of possibly arriving at a perfect solution
> anyway.  Why should we discard other imperfect security measures, then?
>
> I'm not sure if I was unclear here: PHC needs to resist offline attacks
> since we can assume that the database of verifiers/digests will be
> compromised at some point. I don't think this is simplistic/ideal, just
> realistic.
>
>
>
> On Tue, Feb 19, 2013 at 12:27 AM, Solar Designer <solar@openwall.com>wrote:
>
>> On Mon, Feb 18, 2013 at 09:54:01AM +0100, Patrick Mylund Nielsen wrote:
>> > Except this is not what happens today.
>>
>> Oh, the wonders of top-posting.  I can't even comment on that paragraph
>> because it is unclear what exactly you were referring to. ;-)
>>
>> > What does happen, and what absolutely hurts the most, is when somebody
>> gets
>> > a hold of your entire database of (weak) digests and cracks them on
>> their
>> > own or dumps them in a pastebin, e.g. without the usernames. The PHC
>> > schemes, IMHO, really need to be resistant to this.
>>
>> Yes, PHC is precisely about coming up with password hashing schemes that
>> mitigate offline attacks.
>>
>> > We _already have_
>> > effective ways to resist online attacks--exponential backoff, bans, even
>> > captchas...
>>
>> Actually, dealing with online attacks is not always that easy - in
>> particular, if we consider that some may target password reuse from
>> other sites.  Some large sites are having a hard time dealing with
>> online attacks:
>>
>> http://lists.openwall.net/full-disclosure/2012/05/17/11
>> https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf
>> https://speakerdeck.com/u/duosec/p/mike-hearn-at-ripe-64-abuse-at-scale
>>
>> It's just beyond scope of PHC.
>>
>> > To give an example: Blizzard Entertainment got a huge level of flak from
>> > the tech, and even the crypto, communities for using SRP when their
>> > verifiers were compromised, as people realized that SRP protects against
>> > MITM attacks, not offline attacks:
>> >
>> http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/
>>
>> Sure.  SRP does not solve the problem that we're trying to focus on here.
>>
>> > IMHO, it is a more useful exercise to think about leveraging clients,
>> e.g.
>> > for key derivation,
>>
>> It is OK to discuss this in PHC context, but how does it affect the
>> actual PHC submissions?  Well, scalability (via the cost settings) to
>> mobile devices is relevant, and it may contribute to us choosing one
>> password hashing scheme over another as a winner.  However, in order to
>> actually do the hashing on the client, a suitable protocol would need to
>> be used.  (And the security offered by that will vary across protocols,
>> as well as across actual implementations, both client- and server-side.)
>> I feel that as it relates to PHC winner selection, only the password
>> hashing scheme scalability aspect is relevant.
>>
>> > than more secrets on the server side. The servers will be compromised.
>>
>> This is a simplistic/idealistic view.  We're dealing with a problem
>> where we don't have the luxury of possibly arriving at a perfect
>> solution anyway.  Why should we discard other imperfect security
>> measures, then?
>>
>> A password hashing scheme that is more costly for an attacker to compute
>> will result in that attacker cracking fewer passwords.  Similarly, a
>> password hashing implementation with a secret local parameter will
>> result in some attackers ending up with hashes, but not the local
>> parameter value.  In either case, the overall number of passwords
>> getting cracked - across multiple sites and attackers - is reduced.
>> Thus, support for a secret local parameter is in line with the goals of
>> PHC.
>>
>> Now, one can argue that a local parameter stored in the exact same place
>> with the hashes is useless, and I agree - in cases where it's just an
>> implementation obscurity, the false sense of security aspect may
>> outweigh the arguable advantage of some attackers naively missing the
>> local parameter.  However, there are also cases where it won't be stored
>> in the exact same place, and a subset of reasonable attacks will likely
>> get to the hashes, but not to the local parameter value.  In PHC, we're
>> merely providing password hashing schemes that are usable with a local
>> parameter.  We do not control whether such uses will be reasonable or
>> not.  Yet discouraging such uses in general just because some are
>> unreasonable is not necessarily good.
>>
>> Thus, the wording of in the call for submissions: a secret local
>> parameter is allowed as an optional input, but its support is not
>> required from PHC submissions.  It's then up to each individual
>> submissions' authors to include this functionality or not, according to
>> their beliefs, ease of inclusion of an extra parameter within their
>> design, etc.  I think this is how it should be.
>>
>> Alexander
>>
>
>

--bcaec555503e964ff804d6091e21
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"im" style=3D"font-family:arial,sans-serif;fo=
nt-size:13px"><div>&gt;&gt; This is a simplistic/idealistic view. =C2=A0We&=
#39;re dealing with a problem where we don&#39;t have the luxury of possibl=
y arriving at a perfect solution anyway. =C2=A0Why should we discard other =
imperfect security measures, then?</div>
<div><br></div></div><div style=3D"font-family:arial,sans-serif;font-size:1=
3px">&gt; I&#39;m not sure if I was unclear here: PHC needs to resist offli=
ne attacks since we can assume that the database of verifiers/digests will =
be compromised at some point. I don&#39;t think this is simplistic/ideal, j=
ust realistic.=C2=A0</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">Sorry, I do agree that=
 it doesn&#39;t hurt to have e.g. a secret that is e.g. on the disk instead=
 of the database--I&#39;m just worried that such secrets would become centr=
al to the strength of the algorithm, i.e. developers rely too much on the s=
ecret, and offline attacks become trivial if you have both the secrets and =
the salts+digests. I didn&#39;t mean that it should be ignored, but that I =
hope it is considered a &quot;bonus&quot; and not a condition for security.=
 Of course, if the latter happens, we will have gone full circle if develop=
ers using bcrypt decide to switch to this faster construction, but don&#39;=
t handle the secrets differently. (Consider that very few production applic=
ations today actually have the kind of meaningful separation this would req=
uire, sans maybe DB vs. disk--it&#39;s quite hard to give some application =
access to both digests and a secret, and not grant an attacker the same acc=
ess if he compromises the machine it&#39;s on.)</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">At the end of the day,=
 I think the point I&#39;m trying to get across is: Developers want librari=
es like py-bcrypt that they can import, run phc(pwd) and save the result. I=
f it uses another secret, they will put it in a config file or hard-code it=
 in the application without any special ACL/privilege separation. Also, the=
re is a good chance that vulnerabilities on the machine or the network prov=
ides a way to access the files on the machine, or at least the database con=
taining the digests. If we make other assumptions then we risk developers n=
ot using the construction over bcrypt because it is too much work (a major =
contributor to why bcrypt is fairly popular today vs. PBKDF2/scrypt for pas=
sword authentication, IMHO), or worse, hurting the end users more than they=
 would have been if their provider had used bcrypt. (Yeah, you could argue =
that &quot;the developers should have known better, and spent more time on =
it&quot;, or &quot;The users should have chosen stronger and unique passwor=
ds.&quot; Of course, that&#39;s not the world we live in...)</div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Feb 1=
9, 2013 at 12:38 AM, Patrick Mylund Nielsen <span dir=3D"ltr">&lt;<a href=
=3D"mailto:patrick@patrickmylund.com" target=3D"_blank">patrick@patrickmylu=
nd.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"im">&gt;=C2=
=A0<span style=3D"font-family:arial,sans-serif;font-size:13px">Oh, the wond=
ers of top-posting. =C2=A0I can&#39;t even comment on that paragraph=C2=A0<=
/span><span style=3D"font-family:arial,sans-serif;font-size:13px">because i=
t is unclear what exactly you were referring to. ;-)</span><div>

<span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span></di=
v></div><div><span style=3D"font-family:arial,sans-serif;font-size:13px">Th=
at attackers are compromising servers and sniffing passwords over the wire,=
 waiting for re-authentications, rather than just grabbing the database.</s=
pan></div>

<div><div class=3D"im"><div><br></div><div>&gt;=C2=A0<span style=3D"font-fa=
mily:arial,sans-serif;font-size:13px">Actually, dealing with online attacks=
 is not always that easy - in=C2=A0</span><span style=3D"font-family:arial,=
sans-serif;font-size:13px">particular, if we consider that some may target =
password reuse from=C2=A0</span><span style=3D"font-family:arial,sans-serif=
;font-size:13px">other sites.</span></div>

<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span=
></div></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">Sure, but if you actually get the username and password right, the PHC c=
an&#39;t protect you anyway. My point was that it should not be the focus o=
f the PHC to be resistant to online (slow) attacks since that is not where =
we&#39;re hurting the most, currently.</span></div>
<div class=3D"im">
<div><font face=3D"arial, sans-serif"><br></font></div><div><font face=3D"a=
rial, sans-serif">&gt; Now, one can argue that a local parameter stored in =
the exact same place=C2=A0</font><span style=3D"font-family:arial,sans-seri=
f">with the hashes is useless, and I agree - in cases where it&#39;s just a=
n=C2=A0</span><span style=3D"font-family:arial,sans-serif">implementation o=
bscurity, the false sense of security aspect may=C2=A0</span><span style=3D=
"font-family:arial,sans-serif">outweigh the arguable advantage of some atta=
ckers naively missing the=C2=A0</span><span style=3D"font-family:arial,sans=
-serif">local parameter.</span></div>

</div><div><span style=3D"font-family:arial,sans-serif">...</span><br></div=
><div class=3D"im"><div><span style=3D"font-family:arial,sans-serif">&gt;=
=C2=A0</span><span style=3D"font-family:arial,sans-serif;font-size:13px">Th=
us, the wording of in the call for submissions: a secret local=C2=A0</span>=
<span style=3D"font-family:arial,sans-serif;font-size:13px">parameter is al=
lowed as an optional input, but its support is not=C2=A0</span><span style=
=3D"font-family:arial,sans-serif;font-size:13px">required from PHC submissi=
ons. =C2=A0It&#39;s then up to each individual=C2=A0</span><span style=3D"f=
ont-family:arial,sans-serif;font-size:13px">submissions&#39; authors to inc=
lude this functionality or not, according to=C2=A0</span><span style=3D"fon=
t-family:arial,sans-serif;font-size:13px">their beliefs, ease of inclusion =
of an extra parameter within their=C2=A0</span><span style=3D"font-family:a=
rial,sans-serif;font-size:13px">design, etc. =C2=A0I think this is how it s=
hould be.</span></div>

<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span=
></div></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">This is the point I was trying to get across: It wouldn&#39;t hurt to be=
 able to strengthen the construction somehow by using a secret that is stor=
ed elsewhere, but the security of the algorithm should not be contingent up=
on it.=C2=A0</span></div>

<div><span style=3D"font-family:arial,sans-serif"><br></span></div><div><sp=
an style=3D"font-family:arial,sans-serif"><div class=3D"im"><div>&gt; This =
is a simplistic/idealistic view. =C2=A0We&#39;re dealing with a problem whe=
re we don&#39;t have the luxury of possibly arriving at a perfect solution =
anyway. =C2=A0Why should we discard other imperfect security measures, then=
?</div>

<div><br></div></div><div>I&#39;m not sure if I was unclear here: PHC needs=
 to resist offline attacks since we can assume that the database of verifie=
rs/digests will be compromised at some point. I don&#39;t think this is sim=
plistic/ideal, just realistic.=C2=A0</div>

</span></div></div><div><span style=3D"font-family:arial,sans-serif;font-si=
ze:13px"><br></span></div></div><div class=3D"HOEnZb"><div class=3D"h5"><di=
v class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Feb 19, =
2013 at 12:27 AM, Solar Designer <span dir=3D"ltr">&lt;<a href=3D"mailto:so=
lar@openwall.com" target=3D"_blank">solar@openwall.com</a>&gt;</span> wrote=
:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div>On Mon, Feb 18, 2013 at 09:54:01AM +010=
0, Patrick Mylund Nielsen wrote:<br>
&gt; Except this is not what happens today.<br>
<br>
</div>Oh, the wonders of top-posting. =C2=A0I can&#39;t even comment on tha=
t paragraph<br>
because it is unclear what exactly you were referring to. ;-)<br>
<div><br>
&gt; What does happen, and what absolutely hurts the most, is when somebody=
 gets<br>
&gt; a hold of your entire database of (weak) digests and cracks them on th=
eir<br>
&gt; own or dumps them in a pastebin, e.g. without the usernames. The PHC<b=
r>
&gt; schemes, IMHO, really need to be resistant to this.<br>
<br>
</div>Yes, PHC is precisely about coming up with password hashing schemes t=
hat<br>
mitigate offline attacks.<br>
<div><br>
&gt; We _already have_<br>
&gt; effective ways to resist online attacks--exponential backoff, bans, ev=
en<br>
&gt; captchas...<br>
<br>
</div>Actually, dealing with online attacks is not always that easy - in<br=
>
particular, if we consider that some may target password reuse from<br>
other sites. =C2=A0Some large sites are having a hard time dealing with<br>
online attacks:<br>
<br>
<a href=3D"http://lists.openwall.net/full-disclosure/2012/05/17/11" target=
=3D"_blank">http://lists.openwall.net/full-disclosure/2012/05/17/11</a><br>
<a href=3D"https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf" targe=
t=3D"_blank">https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf</a><=
br>
<a href=3D"https://speakerdeck.com/u/duosec/p/mike-hearn-at-ripe-64-abuse-a=
t-scale" target=3D"_blank">https://speakerdeck.com/u/duosec/p/mike-hearn-at=
-ripe-64-abuse-at-scale</a><br>
<br>
It&#39;s just beyond scope of PHC.<br>
<div><br>
&gt; To give an example: Blizzard Entertainment got a huge level of flak fr=
om<br>
&gt; the tech, and even the crypto, communities for using SRP when their<br=
>
&gt; verifiers were compromised, as people realized that SRP protects again=
st<br>
&gt; MITM attacks, not offline attacks:<br>
&gt; <a href=3D"http://arstechnica.com/security/2012/08/hacked-blizzard-pas=
swords-not-hard-to-crack/" target=3D"_blank">http://arstechnica.com/securit=
y/2012/08/hacked-blizzard-passwords-not-hard-to-crack/</a><br>
<br>
</div>Sure. =C2=A0SRP does not solve the problem that we&#39;re trying to f=
ocus on here.<br>
<div><br>
&gt; IMHO, it is a more useful exercise to think about leveraging clients, =
e.g.<br>
&gt; for key derivation,<br>
<br>
</div>It is OK to discuss this in PHC context, but how does it affect the<b=
r>
actual PHC submissions? =C2=A0Well, scalability (via the cost settings) to<=
br>
mobile devices is relevant, and it may contribute to us choosing one<br>
password hashing scheme over another as a winner. =C2=A0However, in order t=
o<br>
actually do the hashing on the client, a suitable protocol would need to<br=
>
be used. =C2=A0(And the security offered by that will vary across protocols=
,<br>
as well as across actual implementations, both client- and server-side.)<br=
>
I feel that as it relates to PHC winner selection, only the password<br>
hashing scheme scalability aspect is relevant.<br>
<div><br>
&gt; than more secrets on the server side. The servers will be compromised.=
<br>
<br>
</div>This is a simplistic/idealistic view. =C2=A0We&#39;re dealing with a =
problem<br>
where we don&#39;t have the luxury of possibly arriving at a perfect<br>
solution anyway. =C2=A0Why should we discard other imperfect security<br>
measures, then?<br>
<br>
A password hashing scheme that is more costly for an attacker to compute<br=
>
will result in that attacker cracking fewer passwords. =C2=A0Similarly, a<b=
r>
password hashing implementation with a secret local parameter will<br>
result in some attackers ending up with hashes, but not the local<br>
parameter value. =C2=A0In either case, the overall number of passwords<br>
getting cracked - across multiple sites and attackers - is reduced.<br>
Thus, support for a secret local parameter is in line with the goals of<br>
PHC.<br>
<br>
Now, one can argue that a local parameter stored in the exact same place<br=
>
with the hashes is useless, and I agree - in cases where it&#39;s just an<b=
r>
implementation obscurity, the false sense of security aspect may<br>
outweigh the arguable advantage of some attackers naively missing the<br>
local parameter. =C2=A0However, there are also cases where it won&#39;t be =
stored<br>
in the exact same place, and a subset of reasonable attacks will likely<br>
get to the hashes, but not to the local parameter value. =C2=A0In PHC, we&#=
39;re<br>
merely providing password hashing schemes that are usable with a local<br>
parameter. =C2=A0We do not control whether such uses will be reasonable or<=
br>
not. =C2=A0Yet discouraging such uses in general just because some are<br>
unreasonable is not necessarily good.<br>
<br>
Thus, the wording of in the call for submissions: a secret local<br>
parameter is allowed as an optional input, but its support is not<br>
required from PHC submissions. =C2=A0It&#39;s then up to each individual<br=
>
submissions&#39; authors to include this functionality or not, according to=
<br>
their beliefs, ease of inclusion of an extra parameter within their<br>
design, etc. =C2=A0I think this is how it should be.<br>
<br>
Alexander<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>

--bcaec555503e964ff804d6091e21--

From patrick@patrickmn.com  Mar fÃ©v 19 00:50:02 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 17786 invoked by uid 89); 19 Feb 2013 00:50:01 -0000
Received: by simscan 1.4.0 ppid: 17745, pid: 17779, t: 0.1962s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wi0-f169.google.com) (209.85.212.169)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 00:50:01 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.169 as permitted sender)
Received: by mail-wi0-f169.google.com with SMTP id l13so4439938wie.0
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 16:50:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=D2DwtwRjsum2YwqLiNfiM4OoVEwFZYf+g1MnfT9V9yw=;
        b=A+LhmTb4UBfyGBXUCp1L2sjeePFIlzmjwk8VtWfTPuFuvAHmX8HoG7ly20YxHi8EGa
         p0iKEMkzKaK0WdVwLpQrCXnXyseoqQJ366jfU+tZ/pUtnKU7dgWluA40Xiu63k9mXHil
         XQ3fEi3HV1JRCPrKbUG+8by3ul11n61ZEVZEs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type:x-gm-message-state;
        bh=D2DwtwRjsum2YwqLiNfiM4OoVEwFZYf+g1MnfT9V9yw=;
        b=LDms3qqpN4ML7m9qKmATRijksRHPSAfOG9BqeVRvlhr1HXagtWBliHYwpvgJjBLBJl
         gRzb/3Vh3qfH21tSL+PvuVoTPSXpwGTp2uzfNH+tjN3osO6kbKlaiweJd1Q+8ctetdhc
         HXDNfDTIt5px8GVda7Cb2YG1bOeYSaV3PM0FA2gh5FIucJkp/xWh0LlgqTrp1/lqaj5a
         0ffeVK7aveDWUkMdQGbnqymQb98eM/FZS3jTE1iV+Jg9BcEu1fpVLKn3bavLexPURwf6
         CvFg76kZGlxpusCWPuyPVkYiiMUUkDjl9ro7/1N/Xrr8gNpomNmf67c0kGUYLf22tnz0
         HT0g==
MIME-Version: 1.0
X-Received: by 10.194.58.202 with SMTP id t10mr14247268wjq.4.1361235001025;
 Mon, 18 Feb 2013 16:50:01 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 16:50:00 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <20130219001941.GA21498@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<87txpaii2q.fsf@wolfjaw.dfranke.us>
	<CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
	<20130218232700.GA21098@openwall.com>
	<CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
	<20130219001941.GA21498@openwall.com>
Date: Tue, 19 Feb 2013 01:50:00 +0100
Message-ID: <CAEw2jfx_-sj2gbQAKMhKAYkuEefXeBuc3zAJuSUFbyRkBc23+A@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=047d7b86de88b122cb04d609386f
X-Gm-Message-State: ALoCoQkN15Sy07kyWYZaQSeHcO2Y7lchPoXf8kcF7Lf11+1adMUH01VA2qPWqLNtWEOjPvdLD3ub
Subject: Re: [PHC] Any "large verifiers" on the panel?

--047d7b86de88b122cb04d609386f
Content-Type: text/plain; charset=UTF-8

>> That attackers are compromising servers and sniffing passwords over the
>> wire, waiting for re-authentications, rather than just grabbing the
>> database.

> Both of these things (and many others) are happening.  It is non-obvious which
is more common.

My bad for speaking in absolutes. Of course nothing is. Can we agree that a
COPY TO STDOUT of a users table does more damage (and is easier to perform)
with less risk of being caught/stopped in time than does network MITM, and
that based on virtually all of the compromises that have become
(semi-)public, assuming that the former is the more common isn't completely
unreasonable?


On Tue, Feb 19, 2013 at 1:19 AM, Solar Designer <solar@openwall.com> wrote:

> On Tue, Feb 19, 2013 at 12:38:31AM +0100, Patrick Mylund Nielsen wrote:
> > That attackers are compromising servers and sniffing passwords over the
> > wire, waiting for re-authentications, rather than just grabbing the
> > database.
>
> Both of these things (and many others) are happening.  It is non-obvious
> which is more common.
>
> Alexander
>

--047d7b86de88b122cb04d609386f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><font face=3D"arial, sans-serif">&gt;</font><span sty=
le=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">&gt; =
That attackers are compromising servers and sniffing passwords over the</sp=
an></div>
<font face=3D"arial, sans-serif">&gt;</font><span style=3D"font-size:13px;c=
olor:rgb(80,0,80);font-family:arial,sans-serif">&gt;</span><span style=3D"c=
olor:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">=C2=A0wire, =
waiting for re-authentications, rather than just grabbing the</span><br sty=
le=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">
<font face=3D"arial, sans-serif">&gt;</font><span style=3D"font-size:13px;c=
olor:rgb(80,0,80);font-family:arial,sans-serif">&gt;</span><span style=3D"c=
olor:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">=C2=A0databa=
se.</span><div>
<span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span></di=
v><span style=3D"font-family:arial,sans-serif;font-size:13px">&gt; Both of =
these things (and many others) are happening. =C2=A0It is non-obvious=C2=A0=
</span><span style=3D"font-family:arial,sans-serif;font-size:13px">which is=
 more common.</span><br>
<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br></span=
></div><div style><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">My bad for speaking in absolutes. Of course nothing is. Can we agree tha=
t a COPY TO STDOUT of a users table does more damage (and is easier to perf=
orm) with less risk of being caught/stopped in time than does network MITM,=
 and that based on virtually all of the compromises that have become (semi-=
)public, assuming that the former is the more common isn&#39;t completely u=
nreasonable?</span></div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue,=
 Feb 19, 2013 at 1:19 AM, Solar Designer <span dir=3D"ltr">&lt;<a href=3D"m=
ailto:solar@openwall.com" target=3D"_blank">solar@openwall.com</a>&gt;</spa=
n> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Tue, Feb 19, 2013 at 12=
:38:31AM +0100, Patrick Mylund Nielsen wrote:<br>
&gt; That attackers are compromising servers and sniffing passwords over th=
e<br>
&gt; wire, waiting for re-authentications, rather than just grabbing the<br=
>
&gt; database.<br>
<br>
</div>Both of these things (and many others) are happening. =C2=A0It is non=
-obvious<br>
which is more common.<br>
<br>
Alexander<br>
</blockquote></div><br></div>

--047d7b86de88b122cb04d609386f--

From solar@openwall.com  Mar fÃ©v 19 00:53:48 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 18008 invoked by uid 89); 19 Feb 2013 00:53:48 -0000
Received: by simscan 1.4.0 ppid: 18002, pid: 18004, t: 0.3287s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 00:53:47 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 32206 invoked from network); 19 Feb 2013 00:53:47 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 00:53:47 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 0504D6FB04; Tue, 19 Feb 2013 04:53:44 +0400 (MSK)
Date: Tue, 19 Feb 2013 04:53:44 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219005344.GB22634@openwall.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 03:57:21PM -0800, Larry Bugbee wrote:
> On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> wrote:
> > In PHS(), we deal with bytes.
> 
> +1
> 
> ...and said bytes/byte strings/byte arrays should be specified to be in network byte order.

No, byte order does not make sense for the password and salt inputs, and
the numeric inputs are just numbers (in the PHS() interface, they're
just size_t and unsigned int variables that have the correct values in
the host's native representation).

Alexander

From solar@openwall.com  Mar fÃ©v 19 01:00:25 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 18542 invoked by uid 89); 19 Feb 2013 01:00:25 -0000
Received: by simscan 1.4.0 ppid: 18536, pid: 18538, t: 0.3371s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 01:00:25 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 3130 invoked from network); 19 Feb 2013 01:00:24 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 01:00:24 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 39AAC6FB04; Tue, 19 Feb 2013 05:00:22 +0400 (MSK)
Date: Tue, 19 Feb 2013 05:00:22 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219010022.GA22713@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com> <20130218232700.GA21098@openwall.com> <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com> <CAEw2jfzsBkwuQHLKxXwSPyighUX0CTohZ3Qn=pqm7wm=99b36A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEw2jfzsBkwuQHLKxXwSPyighUX0CTohZ3Qn=pqm7wm=99b36A@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Tue, Feb 19, 2013 at 01:42:42AM +0100, Patrick Mylund Nielsen wrote:
> Sorry, I do agree that it doesn't hurt to have e.g. a secret that is e.g.
> on the disk instead of the database--I'm just worried that such secrets
> would become central to the strength of the algorithm, i.e. developers rely
> too much on the secret, and offline attacks become trivial if you have both
> the secrets and the salts+digests.

We're not going to consider such schemes seriously.  The call for
submissions should be clear in this respect.  Isn't it clear now?

> I didn't mean that it should be ignored,
> but that I hope it is considered a "bonus" and not a condition for
> security.

Of course.

Alexander

From solar@openwall.com  Mar fÃ©v 19 01:03:50 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 18947 invoked by uid 89); 19 Feb 2013 01:03:50 -0000
Received: by simscan 1.4.0 ppid: 18941, pid: 18943, t: 0.3292s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 01:03:50 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 3738 invoked from network); 19 Feb 2013 01:03:49 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 01:03:49 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 721056FB04; Tue, 19 Feb 2013 05:03:46 +0400 (MSK)
Date: Tue, 19 Feb 2013 05:03:46 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219010346.GB22713@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com> <20130218232700.GA21098@openwall.com> <CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com> <20130219001941.GA21498@openwall.com> <CAEw2jfx_-sj2gbQAKMhKAYkuEefXeBuc3zAJuSUFbyRkBc23+A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEw2jfx_-sj2gbQAKMhKAYkuEefXeBuc3zAJuSUFbyRkBc23+A@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Tue, Feb 19, 2013 at 01:50:00AM +0100, Patrick Mylund Nielsen wrote:
> My bad for speaking in absolutes. Of course nothing is. Can we agree that a
> COPY TO STDOUT of a users table does more damage (and is easier to perform)
> with less risk of being caught/stopped in time than does network MITM, and
> that based on virtually all of the compromises that have become
> (semi-)public, assuming that the former is the more common isn't completely
> unreasonable?

Yes, I guess that more accounts are getting compromised via leaks of
entire databases (or large portions of them) than via sniffing/MITM.

On a per incident basis (rather than per account), it may be different.

Alexander

From patrick@patrickmn.com  Mar fÃ©v 19 01:06:55 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19198 invoked by uid 89); 19 Feb 2013 01:06:55 -0000
Received: by simscan 1.4.0 ppid: 19192, pid: 19194, t: 0.2108s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-wg0-f49.google.com) (74.125.82.49)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 01:06:55 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.82.49 as permitted sender)
Received: by mail-wg0-f49.google.com with SMTP id 15so5243656wgd.16
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 17:06:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=VZB7EGDsbN+NB3d4yR8PGfZRCEXBVM0e5IwlemPX8GY=;
        b=SV7xkaNry1zsg/nFNW8k3DRD+UuA+p2A5vN95nQ6akxqDeqgybnNZ773Cp+GPEM3ee
         /c5FDsXd72GDLha/T+aXdDrTdD2rw8uhfKYa3LzAyWxz6+rh2NLpwayZcjQ6COitl4ZP
         39tpT9ZOKzrxNBqpzd2U4263d3RmFXLxUiqss=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:content-type:x-gm-message-state;
        bh=VZB7EGDsbN+NB3d4yR8PGfZRCEXBVM0e5IwlemPX8GY=;
        b=obvwpfsvpaghXU/eJKhtX9oG5+QlhPvHvLz9L90unc4H+T8D0FmwamocowGtky+nYY
         y0jQUkzL8JIXVNWteKiddur3TQu4z5TNJyaKQZNfGGYRuMbqWgVU40RXxJKeurIXjUM1
         NH8KujkDI15HlYmlTijUGIttOVycIjOoo2zEwLWIz2hJCsCCBT0UDFmc6B8mJu9XMIlc
         EZMnMNYwCrhBxR1B8vjDXQkKZOljpWlIr6lDR2Qxe30d3ujRzoWlRx89X5IB876Fk962
         whuxwRVdEq4HUV8D0io1rzXNpE9ZpYJ66omO5VhogRXIG9Q5ba/iwFbjauPyQKYlGMSi
         ivZg==
MIME-Version: 1.0
X-Received: by 10.180.81.42 with SMTP id w10mr12371942wix.28.1361236014713;
 Mon, 18 Feb 2013 17:06:54 -0800 (PST)
Received: by 10.194.35.196 with HTTP; Mon, 18 Feb 2013 17:06:54 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <20130219010022.GA22713@openwall.com>
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz>
	<061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org>
	<5120951F.8000303@bindshell.nl>
	<87txpaii2q.fsf@wolfjaw.dfranke.us>
	<CAEw2jfz3CG9VLpV--cyzTAvF854qG-CZ9PX02LeB5-1X2JV=tQ@mail.gmail.com>
	<20130218232700.GA21098@openwall.com>
	<CAEw2jfzOr8nFSnjWorBVcZd4yJfVWb3FjF8NpBLHLvrugZNssA@mail.gmail.com>
	<CAEw2jfzsBkwuQHLKxXwSPyighUX0CTohZ3Qn=pqm7wm=99b36A@mail.gmail.com>
	<20130219010022.GA22713@openwall.com>
Date: Tue, 19 Feb 2013 02:06:54 +0100
Message-ID: <CAEw2jfwwHBxHDGA+KRCySYZsePK5q9+d-WfOxrB-H9sKaUe+dg@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Content-Type: multipart/alternative; boundary=bcaec555503e1ccb1104d60975b8
X-Gm-Message-State: ALoCoQmkzx6WFntvAreXlpwSTZgXUiKgJfFPiQ9iiRnxXoEFweQ5iEjQY9ZR5mo0Z12UXtK2dOtf
Subject: Re: [PHC] Any "large verifiers" on the panel?

--bcaec555503e1ccb1104d60975b8
Content-Type: text/plain; charset=UTF-8

On Tue, Feb 19, 2013 at 2:00 AM, Solar Designer <solar@openwall.com> wrote:

> On Tue, Feb 19, 2013 at 01:42:42AM +0100, Patrick Mylund Nielsen wrote:
> > Sorry, I do agree that it doesn't hurt to have e.g. a secret that is e.g.
> > on the disk instead of the database--I'm just worried that such secrets
> > would become central to the strength of the algorithm, i.e. developers
> rely
> > too much on the secret, and offline attacks become trivial if you have
> both
> > the secrets and the salts+digests.
>
> We're not going to consider such schemes seriously.  The call for
> submissions should be clear in this respect.  Isn't it clear now?
>

I just looked again, and yes. Thank you.

--bcaec555503e1ccb1104d60975b8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra">On Tue, Feb 19, 2013 at 2:00 AM=
, Solar Designer <span dir=3D"ltr">&lt;<a href=3D"mailto:solar@openwall.com=
" target=3D"_blank">solar@openwall.com</a>&gt;</span> wrote:<br><div class=
=3D"gmail_quote">

<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div>On Tue, Feb 19, 2013 at 01:42:42AM +0100, Patrick Myl=
und Nielsen wrote:<br>

&gt; Sorry, I do agree that it doesn&#39;t hurt to have e.g. a secret that =
is e.g.<br>
&gt; on the disk instead of the database--I&#39;m just worried that such se=
crets<br>
&gt; would become central to the strength of the algorithm, i.e. developers=
 rely<br>
&gt; too much on the secret, and offline attacks become trivial if you have=
 both<br>
&gt; the secrets and the salts+digests.<br>
<br>
</div>We&#39;re not going to consider such schemes seriously. =C2=A0The cal=
l for<br>
submissions should be clear in this respect. =C2=A0Isn&#39;t it clear now?<=
br></blockquote><div><br></div><div><span style=3D"font-family:arial,sans-s=
erif;font-size:13px">I just looked again, and yes. Thank you.</span></div><=
/div>
<br></div></div>

--bcaec555503e1ccb1104d60975b8--

From dfoxfranke@gmail.com  Mar fÃ©v 19 01:26:29 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20666 invoked by uid 89); 19 Feb 2013 01:26:28 -0000
Received: by simscan 1.4.0 ppid: 20660, pid: 20662, t: 0.2609s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-vb0-f50.google.com) (209.85.212.50)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 01:26:28 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.212.50 as permitted sender)
Received: by mail-vb0-f50.google.com with SMTP id ft2so3942502vbb.9
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 17:26:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:to:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version:content-type;
        bh=/VFwSp0491MZsSBmWC0ptqsZA4CBaySyg9J8UMzSTrs=;
        b=rsAC0BV0KTrcR044shQRwShE5qwIhHq5NMXTc8JdALAa4oYmqZ+BbbsOFhy4yCy6A+
         E/RjDZt6/QsUde/znv9LCcXQuQ/PU/PxI2ky01W1d938x4qG00JhlxxiRZ58MJegW//a
         J+uC/WnghorUAKts/+fhbK5/+d4YfZ33WgbZ6OpjzKRuyD9XWk305H6zP19YLdq9JgsF
         OZy54gMeu610TeQipmpYerh0Gg4Y9LF/DfSFoKahkBRffi/tfKTmxWE1iFC9JixGqW00
         5+WZeJVofF92Vr5YQ/MEDzaIT/vOmVTnk6UHV0X2jdXc7AQoyN4Wc1pD6kr56J5fPNe+
         /Xgw==
X-Received: by 10.58.221.169 with SMTP id qf9mr18803738vec.43.1361237186639;
        Mon, 18 Feb 2013 17:26:26 -0800 (PST)
Received: from wolfjaw.dfranke.us (wolfjaw.dfranke.us. [2600:3c03:e001:1200:225:90ff:fe81:d4a0])
        by mx.google.com with ESMTPS id l18sm100076821vdh.10.2013.02.18.17.26.25
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Mon, 18 Feb 2013 17:26:25 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
	<87zjz1gtkm.fsf@wolfjaw.dfranke.us>
	<20130218225427.GB20985@openwall.com>
Date: Mon, 18 Feb 2013 20:26:23 -0500
In-Reply-To: <20130218225427.GB20985@openwall.com> (Solar Designer's message
	of "Tue, 19 Feb 2013 02:54:27 +0400")
Message-ID: <87vc9pgklc.fsf@wolfjaw.dfranke.us>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

Solar Designer <solar@openwall.com> writes:

> Yes, PHS() is defined to accept inlen, but in many scripting languages
> and in many other APIs NULs may be problematic anyway.
>
> Should PHS() support embedded NULs even when the password hashing
> scheme's primary implementation - one intended for actual use - does not
> support embedded NULs?  Well, perhaps it should...

Does there exist a scripting language that's so broken with respect to
dealing with embedded nulls that it's unreasonable for us to expect the
primary implementation of our scheme to deal with them properly?

From solar@openwall.com  Mar fÃ©v 19 01:27:27 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20810 invoked by uid 89); 19 Feb 2013 01:27:27 -0000
Received: by simscan 1.4.0 ppid: 20804, pid: 20806, t: 0.3304s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 01:27:27 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 13720 invoked from network); 19 Feb 2013 01:27:26 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 01:27:26 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 96DDB6FB04; Tue, 19 Feb 2013 05:27:22 +0400 (MSK)
Date: Tue, 19 Feb 2013 05:27:22 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219012722.GA22849@openwall.com>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Sat, Feb 16, 2013 at 09:59:39AM -0600, Jeffrey Goldberg wrote:
> I'm not familiar with everyone on the panel, but I think it would be useful to have someone with an understanding of having to deal with a large number of legitimate authentication sessions.  Someone who, say, manages Gmail logins (IMAP, web, etc) may have insight into what sorts of cost parameters they would like to have.
> 
> Basically, it would be really sucky to settle upon a winner and then have sites and services say, "we won't use that because we can't manage our verification costs the way we need to."

I am not exactly "with" a company of this sort, but I do have such
insight.  Specifically, the required performance numbers used in my
ZeroNights presentation are not arbitrary.  For some companies, a
throughput of more than ~1000/s per authentication server is required,
and latencies of more than ~10 ms are costly in terms of request queue
size growth on other servers.

http://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

Alexander

From solar@openwall.com  Mar fÃ©v 19 01:35:30 2013 +0000
Return-Path: <solar@openwall.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 21368 invoked by uid 89); 19 Feb 2013 01:35:30 -0000
Received: by simscan 1.4.0 ppid: 21362, pid: 21364, t: 0.3297s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mother.openwall.net) (195.42.179.200)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 01:35:29 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at openwall.com designates 195.42.179.200 as permitted sender)
Received: (qmail 17624 invoked from network); 19 Feb 2013 01:35:29 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2013 01:35:29 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 615246FB04; Tue, 19 Feb 2013 05:35:26 +0400 (MSK)
Date: Tue, 19 Feb 2013 05:35:26 +0400
From: Solar Designer <solar@openwall.com>
To: discussions@password-hashing.net
Message-ID: <20130219013526.GA22949@openwall.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <87zjz1gtkm.fsf@wolfjaw.dfranke.us> <20130218225427.GB20985@openwall.com> <87vc9pgklc.fsf@wolfjaw.dfranke.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87vc9pgklc.fsf@wolfjaw.dfranke.us>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 08:26:23PM -0500, Daniel Franke wrote:
> Solar Designer <solar@openwall.com> writes:
> 
> > Yes, PHS() is defined to accept inlen, but in many scripting languages
> > and in many other APIs NULs may be problematic anyway.
> >
> > Should PHS() support embedded NULs even when the password hashing
> > scheme's primary implementation - one intended for actual use - does not
> > support embedded NULs?  Well, perhaps it should...
> 
> Does there exist a scripting language that's so broken with respect to
> dealing with embedded nulls that it's unreasonable for us to expect the
> primary implementation of our scheme to deal with them properly?

That's a good question to which I have no answer.

The issues I am aware of are from calls into C-provided functions, with
conversion to C strings, e.g. with crypt() in PHP and Perl.  It is
generally possible to avoid such calls and then have a scripting
language implementation of a password hashing scheme that will process
embedded NULs like any other bytes.

So we may want to insist on support for embedded NULs, yes.

Alexander

From alec.muffett@gmail.com  Mar fÃ©v 19 01:51:21 2013 +0000
Return-Path: <alec.muffett@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 22219 invoked by uid 89); 19 Feb 2013 01:51:21 -0000
Received: by simscan 1.4.0 ppid: 22213, pid: 22215, t: 0.3012s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-we0-f171.google.com) (74.125.82.171)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 01:51:21 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.82.171 as permitted sender)
Received: by mail-we0-f171.google.com with SMTP id u54so5350813wey.30
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 17:51:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=9EPIEqQ4Gr3GncU4AcWblg9Fd2naITBM3D9P8BZTpDQ=;
        b=YwaIdwnRaqwSyI5pf0aJuJvjlDM6OEt7PRYNNzy1zziUo/2XRqg+ht/8//rgpZyRwv
         zEom/7WZXMucD7NZr2a0S58tNZjpwJVQjOdWf+Lxq1PYYMh2C+P4mV91pzr+TV0eZkfb
         FPbaKLyE/vOvDM7JGiyBco1LLZySJdWcEliEOPfYSebPJoVg+JGEUb3zcuI8rkVfSzuy
         pX0ktHHL5w3vAgR4v/QmPDNv4t3CIGMEpfNRcdsGp7iH4OrXJsl2wKTsHzh1DSdgQM7t
         +vlBYH8gM2y8qX8GgwpkRuHA4yPXpRHEIv0aldPtnrzjC3tEvL3bTz9jXvQ06NuYJ/Ym
         ELSw==
X-Received: by 10.180.98.98 with SMTP id eh2mr23974367wib.7.1361238680763;
 Mon, 18 Feb 2013 17:51:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.75.167 with HTTP; Mon, 18 Feb 2013 17:50:40 -0800 (PST)
In-Reply-To: <CAHOTMVKpmm_VdsL7=0ocXMwgPTgK4S9VEW71FRRQdRZ-f-QB=A@mail.gmail.com>
References: <CAHOTMVKpmm_VdsL7=0ocXMwgPTgK4S9VEW71FRRQdRZ-f-QB=A@mail.gmail.com>
From: Alec Muffett <alec.muffett@gmail.com>
Date: Tue, 19 Feb 2013 01:50:40 +0000
Message-ID: <CAFWeb9+j3Dfdv9=neF_Bo-sLS+U+UpPJxuUo1PQ0haGzjWdHSw@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Password hashes as URIs

On 18 February 2013 23:45, Tony Arcieri <tony.arcieri@gmail.com> wrote:
> A scheme like this could allow someone to have several different password
> hashing schemes active at once (e.g. if they started with one scheme but are
> lazily upgrading to another, newer scheme) and would also allow
> interoperability between these libraries.
>
> Yay? Nay?

OK; when I was at Sun, Casper Dik, Darren Moffat and I came up with
the "Pluggable Crypt" framework to address the desire to want to
intermingle different kinds of hash in one directory/map/password
file, and to support upgrades.

And, frankly, to do something better.

A lot of the backplot is documented here:
http://dropsafe.crypticide.com/article/1389 - which I won't bother to
cut and paste from since it's fairly readable; the companion algorithm
(SunMD5) is something that Alexander will rant about at length if you
permit, but that's not relevant right now. :-)

What might be relevant was what we were trying to do, which was
support having ciphertexts which looked a bit like this:

   $caesar$shift=13$frfnzr

...which any reasonably intuitive cryppie will work out has a
plaintext of 'sesame'; similarly we wanted:

    $sha256$rounds=9000,usersalt=fred,sitesalt=/etc/sitesalt$hTZC3WSMcaAro.iC6RMgU.Ek.....

...or possibly:

    $sha256$usersalt$sitesalt$resultinghash

...and we got into a massive, multi-week argument about formats of
data, whether we should go with "$" separators between positional
fields throughout - or establish an encoding system for
"key1=value1,key2=value2" - somehow guaranteeing that the keys and
values would be clean (free of ":" characters that would corrupt
passwd records - solution: base64 everything) and and and ...

It was a bit of a nightmare.

Eventually we hit on a solution: "stop being control freaks"

So instead the pluggable crypt architecture goes looking for
ciphertexts beginning with "$" and uses whatever comes after the first
"$" and before the next dollar-or-end-of-string to look up the name of
a shared library as specified in a config file:

    http://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html

The remainder of the string, from the second "$" onwards (INCLUSIVE)
is *passed into* that shared library for it to do as it damn well
pleases.

End of problem, end of furious geek argument.

Tony may well like the contents of the manpage I linked to, it
contains stuff like:

  CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6
  CRYPT_ALGORITHMS_DEPRECATE=__unix__
  CRYPT_DEFAULT=2a

...which specifies which hashes our system recognises (allow) and
which ones it will never allow you to create a new has using
(deprecate; here we are deprecating the traditional Morris crypt so
that we evolve away from it with each new password change) - and
finally which algorithm will be used to generate a new has should a
specific one not be specified (default; in this case 2a, which is
Blowfish).

The complementary half to this is the dynamically loaded
crypt_gensalt() routine:

    http://docs.oracle.com/cd/E19683-01/817-0677/6mgf9b5sh/index.html

...which when passed both the user's previous salt and a "userinfo"
(pw_passwd) structure, would generate a new salt prefix for whatever
algorithm was now de jure.

The reason for this was obvious: putting usernames and other stuff
into saltstrings was highly desirable, plus it was an opportunity/hook
for automatically increasing the number of rounds / or whatever new
administrative policy thing we wanted to enforce. Such policy could be
provided with "key=value"-type syntax, something like:

           caesar /usr/lib/security/$ISA/crypt_caesar.so shift=13

...in this config file, so that syntax came in handy after all; still
easier not to assume you can parse the actual *ciphertexts* though.

Overall it is very well-received and successful; several OSF/1 sites
implemented the DEC "crypt16()" shared library, marked it as ALLOWed
but DEPRECATEd, with a default of "2a" and then told their users to
change their passwords.  The result was a transparent migration to
Blowfish.

Some of the discussion around people doing exactly this can be found in:

https://groups.google.com/group/comp.unix.solaris/browse_thread/thread/6c6d589f4dfa6ba/e3dbf82cbea86989

And then there were the Government agencies which insisted on
rolling their own hashes and where formerly they had to have
replacement binaries for indefinite numbers of applications, suddenly
everything worked transparently.  I don't know if they were pleased or
annoyed by that.

Hope this helps.  In summary I would say that, from experience,
arguing over a URI syntax will just drive you insane.  Easier just to
agree on a text encoding for everything after the second "$" sign and
leave that to the implementors to sort out.

    - alec

Links:

crypt_gensalt: frontend for salt generation
http://illumos.org/man/3C/crypt_gensalt

crypt_gensalt_impl: implementation-specific backends for salt generation
http://illumos.org/man/3C/crypt_gensalt_impl

crypt_genhash_impl: implementation-specific backends for hash generation
http://illumos.org/man/3C/crypt_genhash_impl

sample code
https://github.com/illumos/illumos-gate/blob/master/usr/src/lib/crypt_modules/bsdbf/bsdbf.c
https://github.com/illumos/illumos-gate/tree/master/usr/src/lib/crypt_modules/bsdbf
(directory)

sunmd5
https://github.com/illumos/illumos-gate/blob/master/usr/src/lib/crypt_modules/sunmd5/sunmd5.c

crypt.conf / config files
http://illumos.org/man/4/crypt.conf
http://illumos.org/man/4/policy.conf # solaris broke out some of the
function to this for some reason


-- 
http://dropsafe.crypticide.com/aboutalecm

From dennis.hamilton@acm.org  Mar fÃ©v 19 02:36:50 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 24400 invoked by uid 89); 19 Feb 2013 02:36:50 -0000
Received: by simscan 1.4.0 ppid: 24392, pid: 24395, t: 0.4027s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 02:36:49 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33244 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7d4Z-002s5d-OZ
	for discussions@password-hashing.net; Mon, 18 Feb 2013 21:36:48 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com> <20130219005344.GB22634@openwall.com>
In-Reply-To: <20130219005344.GB22634@openwall.com>
Date: Mon, 18 Feb 2013 18:36:45 -0800
Organization: NuovoDoc
Message-ID: <001e01ce0e49$f6b08c90$e411a5b0$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwNfv9d+Ai6aCXADHEL/r5faDvUQ
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

Now I am more puzzled than I am by Larry's comment about presumed order.

I am going to risk over-stating the obvious just to make certain that I, as
a newcomer, am on the same page about what the tacit understanding is
concerning what PHS( ) effectively operates on.

 - Dennis

TL;DR

 1. Let me look at it another way.  I presume that the each of the byte
arrays (in[inlen], out[outlen], etc. can be viewed as a canonical string of
bits, e.g, in[0]||in[1]||...||in[inlen] where each byte 
has its bits laid into the string as b[7]||b[6]||...||b[0], exactly as the
bits weigh into interpretation of the byte as an unsigned integer, are
expressed in hexadecimal, etc.  The expression of in[] in hexadecimal is
simply the concatenation of the hexadecimal digits of the bytes, in their
standard order.  (If one were operating on strings of bits whose length is
not a multiple of eight, it would be left-justified in the byte array and
any padding would start in the unused low-order positions of the last byte.)
  The hexadecimal-notation expression of test vectors and the expected
results conforms to this abstraction.

 2. The algorithm of a PHS( ) can be defined abstractly as operating on such
structures, however organized into blocks, padded, and computed over, with
the results of the same form.   When operating on wider units, there may be
collection into binary words, use of (modular) arithmetic and logical
operations, etc.  Those operations will assume a particular way of chunking
and ordering the material in widths larger than one byte.  That's how I
understand the algorithmic specifications of the NIST FIPS 180-n Secure
Hashing functions.

 3. Any differences in how a particular platform provides its way of
chunking and ordering and operating on various word-sized chunks should not
be visible to any user of the API -- that is, the order at the API is
sustained and the result is indistinguishable from it being carried out via
(2) regardless of what is actually done to accomplish that.  That's what I
see various implementations of NIST FIPS 180-n Secure Hashing Functions
accomplishing, and their APIs are consistent with that.

Is what is being said here tantamount to the same thing, but not so
long-winded?  

PS: I agree that the size_t, int, and unsigned int values represent numbers
in exactly the way that is done on the platform running the PHS( ) code and
their memory structure is not of concern in the implementation of PHS( ).  

PPS: I'm assuming serialization/deserialization of the cost parameters in
input-output is an outer-protocol consideration (likewise for the password,
salt, and hash) but the reference implementation, PHS( ) would not reflect
any of that.  I am also using the ordering of in[0],in[1],...,
in[i],in[++i],...,in[inlen-1] (likewise for the salt and hash byte arrays)
as being the canonical ordering, regardless of how that is achieved in a
particular processor's storage organization.



-----Original Message-----
From: Solar Designer [mailto:solar@openwall.com] 
Sent: Monday, February 18, 2013 16:54
To: discussions@password-hashing.net
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Mon, Feb 18, 2013 at 03:57:21PM -0800, Larry Bugbee wrote:
> On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> wrote:
> > In PHS(), we deal with bytes.
> 
> +1
> 
> ...and said bytes/byte strings/byte arrays should be specified to be in
network byte order.

No, byte order does not make sense for the password and salt inputs, and
the numeric inputs are just numbers (in the PHS() interface, they're
just size_t and unsigned int variables that have the correct values in
the host's native representation).

Alexander


From dennis.hamilton@acm.org  Mar fÃ©v 19 02:36:51 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 24415 invoked by uid 89); 19 Feb 2013 02:36:50 -0000
Received: by simscan 1.4.0 ppid: 24393, pid: 24408, t: 0.4205s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 02:36:50 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33244 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7d4b-002s5d-1J
	for discussions@password-hashing.net; Mon, 18 Feb 2013 21:36:49 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
In-Reply-To: <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
Date: Mon, 18 Feb 2013 18:36:45 -0800
Organization: NuovoDoc
Message-ID: <001f01ce0e49$f7742ab0$e65c8010$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwNfv9d+Ai6aCXCX8uywgA==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

@Larry,

That makes perfect sense to me but I don't understand the addendum about
network byte order.

What does network byte order mean in the context of a C Language array in
storage?  Is that the same as ordering in[0], in[1], ..., in[inlen-1] and,
with regard to accepting serial input from a byte stream, the array is
filled with the first arrival at in[0], the second at in[1], etc.?

I assume this is the mapping that is also sensible with regard to how digest
algorithms are specified in terms of storage blocks.  (If there is a
big-/little-endian assumption on framing these into multi-byte logical
words, that is for the interior of the implementation to deal with, in my
understanding.)

Is there something that I am missing in what you are saying?

 - Dennis

-----Original Message-----
From: Larry Bugbee [mailto:bugbee@mac.com] 
Sent: Monday, February 18, 2013 15:57
To: discussions@password-hashing.net
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> wrote:
> In PHS(), we deal with bytes.

+1

...and said bytes/byte strings/byte arrays should be specified to be in
network byte order.



From maray@microsoft.com  Mar fÃ©v 19 03:22:40 2013 +0000
Return-Path: <maray@microsoft.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 27332 invoked by uid 89); 19 Feb 2013 03:22:40 -0000
Received: by simscan 1.4.0 ppid: 27325, pid: 27327, t: 0.7938s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO na01-bl2-obe.outbound.protection.outlook.com) (unknown@65.55.169.28)
  by qmailtoaster.cryptyx.com with (AES128-SHA encrypted) SMTP; 19 Feb 2013 03:22:39 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at spfb.frontbridge.com designates 65.55.169.28 as permitted sender)
Received: from BY2FFO11FD003.protection.gbl (10.1.15.200) by
 BY2FFO11HUB015.protection.gbl (10.1.14.88) with Microsoft SMTP Server (TLS)
 id 15.0.620.12; Tue, 19 Feb 2013 03:22:23 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by
 BY2FFO11FD003.mail.protection.outlook.com (10.1.14.125) with Microsoft SMTP
 Server (TLS) id 15.0.620.12 via Frontend Transport; Tue, 19 Feb 2013 03:22:23
 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.12]) by
 TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id
 14.02.0318.003; Tue, 19 Feb 2013 03:22:20 +0000
From: Marsh Ray <maray@microsoft.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
CC: "Dennis E. Hamilton "
	<IMCEAMAILTO-dennis+2Ehamilton+40acm+2Eorg@microsoft.com>
Thread-Topic: [PHC] Coding of the in[inlen] array for PHS( )
Thread-Index: Ac4OI5u+voKTrccLRquLJYiM6oHfMwACCbCAAAH7iYAAAfgbAAADmQuAAABfaTA=
Date: Tue, 19 Feb 2013 03:22:20 +0000
Message-ID: <218AE73F98E99C4C98AF7D5166AA798E0903752A@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
 <20130218230035.GC20985@openwall.com>
 <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
 <20130219005344.GB22634@openwall.com>
 <001e01ce0e49$f6b08c90$e411a5b0$@acm.org>
In-Reply-To: <001e01ce0e49$f6b08c90$e411a5b0$@acm.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report:
 CIP:131.107.125.37;CTRY:US;IPV:CAL;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(199002)(189002)(51704002)(74662001)(31966008)(44976002)(74502001)(23726001)(47446002)(65816001)(5343655001)(16406001)(79102001)(56816002)(56776001)(66066001)(47776003)(20776003)(63696002)(80022001)(33656001)(46102001)(76482001)(77982001)(54356001)(551544001)(55846006)(53806001)(46406002)(4396001)(47976001)(50986001)(47736001)(54316002)(49866001)(59766001)(50466001)(51856001);DIR:OUT;SFP:;SCL:1;SRVR:BY2FFO11HUB015;H:TK5EX14HUBC105.redmond.corp.microsoft.com;RD:InfoDomainNonexistent;A:1;MX:1;LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0762FFD075
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
>=20
> I am going to risk over-stating the obvious just to make certain that I, =
as a
> newcomer, am on the same page about what the tacit understanding is
> concerning what PHS( ) effectively operates on.

Thank you :-)

This is definitely something that needs to be addressed by the final stage =
of the PHC. But it's probably not urgent to finalize it now.

We might look at the history of the RADIUS authentication protocol. It hand=
les username and password data for a variety of clients and servers.

RFC 2058 https://tools.ietf.org/html/rfc2058#page-21 didn't define or recom=
mend an encoding for strings.
RFC 2865 https://tools.ietf.org/html/rfc2865#section-9 defined distinct 'te=
xt' and 'string' types "Text contains UTF-8 encoded 10646 characters and St=
ring contains 8-bit binary data." Presumably this change was made to encour=
age interoperability, the IETF tends not to invoke ISO 10646 or Unicode lig=
htly.

How about this wording:

"The function must be well-defined for all sequences of octets supplied to =
the password input. Length constraints should be clearly defined parameters=
 of the algorithm and should generate an error result if violated. Password=
 inputs with embedded NUL (0x00) byte values are allowed and are treated as=
 significant (even trailing NULs).

However, to promote interoperability callers are strongly encouraged to sup=
ply character data in the form of a sequence of minimal-length UTF-8 encode=
d ISO 10646 characters (not including any NULs trailing or otherwise) whene=
ver practical. Note that this specification declines to recommend a specifi=
c Unicode normalization form in the hope that implementers will do the righ=
t thing.

Case-folding of password inputs is strongly discouraged, i.e., passwords sh=
ould always be treated case-sensitively."

- Marsh


From epixoip@bindshell.nl  Mar fÃ©v 19 03:42:42 2013 +0000
Return-Path: <epixoip@bindshell.nl>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 28098 invoked by uid 89); 19 Feb 2013 03:42:41 -0000
Received: by simscan 1.4.0 ppid: 28092, pid: 28094, t: 0.5893s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO dulcinea.bindshell.nl) (209.147.121.167)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 03:42:41 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at bindshell.nl designates 209.147.121.167 as permitted sender)
Received: from [192.168.2.130] (nat.secure.la [173.160.144.193])
	by dulcinea.bindshell.nl (Postfix) with ESMTPSA id B72133C2103
	for <discussions@password-hashing.net>; Mon, 18 Feb 2013 19:28:21 -0800 (PST)
Message-ID: <5122F4A8.7010809@bindshell.nl>
Date: Mon, 18 Feb 2013 19:42:32 -0800
From: Jeremi Gosney <epixoip@bindshell.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
References: <E1U6vxB-0008KQ-Jw@login01.fos.auckland.ac.nz> <061FBFD2-5239-4B8D-88D1-2853E4E459BD@goldmark.org> <5120951F.8000303@bindshell.nl> <87txpaii2q.fsf@wolfjaw.dfranke.us> <5121A295.2030601@bindshell.nl> <87d2vyi70f.fsf@wolfjaw.dfranke.us> <5121B661.3060208@bindshell.nl> <20130218233544.GB21098@openwall.com>
In-Reply-To: <20130218233544.GB21098@openwall.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHC] Any "large verifiers" on the panel?

On 2/18/2013 3:35 PM, Solar Designer wrote:
> On Sun, Feb 17, 2013 at 09:04:33PM -0800, Jeremi Gosney wrote:
>> On 2/17/2013 8:24 PM, Daniel Franke wrote:
>>> If the attacker can obtain a shell under the same uid as the webapp
>>> process and go undetected for a while, then he can ptrace the webapp and
>>> see the passwords as they're being passed into the hashing function.
>> It does not work this way anymore. At least not on modern Linux
>> distributions that enable the Yama LSM, which I'm pretty sure all
>> distributers started doing ~ 3 years back.
> This is wishful thinking.  I'm only aware of Ubuntu doing it.
>
> Alexander

Hum, so it is. I knew Ubuntu started using it back in 10.10, but I could
have sworn it was pulled into the mainline kernel as well. Looking
through LKML, it appears it was only in James Morris' security preview
for 2.6.36 and was later removed.

But after further digging, it looks like OpenSUSE and SLES have also
adopted Yama. And Fedora has a new SELinux policy named
SELinuxDenyPtrace which is enabled by default, which is likely to
eventually be in RHEL as well. And of course grsecurity also has had
this functionality for quite a while (Yama is based off of spender's
work iirc), and it's very common to find grsecurity-patched kernels on
shared hosting providers. Openwall also has some variant of this
functionality as well, doesn't it?

Anyway, this all kind of detracts from my original point, which is
simply that the most common vulnerabilities that lead to password dumps
have a very high potential of yeilding an unprivileged shell,
pesudo-shell, or some other method of read-only access to portions of
the filesystem. And even without the ability to escalate privileges or
do any other kind of advanced post-exploitation, these basic
vulnerabilities alone still have the very real potential to compromise
any server secrets. As was already stated by Peter Gutmann, we can't
defend against things like ptrace anyway with the PHS. But what we can
do is ensure the integrity of the PHS is not dependent upon any kind of
server secrets, such as an encryption key. That's the important thing to
take away from this thread.

Best regards,
Jeremi

From dennis.hamilton@acm.org  Mar fÃ©v 19 06:02:59 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 1680 invoked by uid 89); 19 Feb 2013 06:02:59 -0000
Received: by simscan 1.4.0 ppid: 1674, pid: 1676, t: 0.6642s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 06:02:58 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33541 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7gI0-001H1m-NG
	for discussions@password-hashing.net; Tue, 19 Feb 2013 01:02:53 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com> <20130219005344.GB22634@openwall.com> <001e01ce0e49$f6b08c90$e411a5b0$@acm.org> <218AE73F98E99C4C98AF7D5166AA798E0903752A@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E0903752A@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Mon, 18 Feb 2013 22:02:50 -0800
Organization: NuovoDoc
Message-ID: <003001ce0e66$c0a401f0$41ec05d0$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwNfv9d+Ai6aCXADHEL/rwHO9ZRSAbLw2vmXvkdT0A==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

Thanks Marsh,

I would define PHS to work on arbitrary octet strings in the in[inlen]
array.  This is at the binary level.

Then I would treat the use of particular text encodings in an interoperable
use case, or application profile.  

There are also application profiles where pure binary is desired (e.g., as
in extending a weak use of a hash to one with much stronger protection of
the same password that creates the weak hash).

[I'm assuming there's a desire that PHS be usable underneath many use
cases.]

 - Dennis

-----Original Message-----
From: Marsh Ray [mailto:maray@microsoft.com] 
Sent: Monday, February 18, 2013 19:22
To: discussions@password-hashing.net
Cc: Dennis E. Hamilton 
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> 
> I am going to risk over-stating the obvious just to make certain that I,
as a
> newcomer, am on the same page about what the tacit understanding is
> concerning what PHS( ) effectively operates on.

Thank you :-)

This is definitely something that needs to be addressed by the final stage
of the PHC. But it's probably not urgent to finalize it now.

We might look at the history of the RADIUS authentication protocol. It
handles username and password data for a variety of clients and servers.

RFC 2058 https://tools.ietf.org/html/rfc2058#page-21 didn't define or
recommend an encoding for strings.
RFC 2865 https://tools.ietf.org/html/rfc2865#section-9 defined distinct
'text' and 'string' types "Text contains UTF-8 encoded 10646 characters and
String contains 8-bit binary data." Presumably this change was made to
encourage interoperability, the IETF tends not to invoke ISO 10646 or
Unicode lightly.

How about this wording:

"The function must be well-defined for all sequences of octets supplied to
the password input. Length constraints should be clearly defined parameters
of the algorithm and should generate an error result if violated. Password
inputs with embedded NUL (0x00) byte values are allowed and are treated as
significant (even trailing NULs).

However, to promote interoperability callers are strongly encouraged to
supply character data in the form of a sequence of minimal-length UTF-8
encoded ISO 10646 characters (not including any NULs trailing or otherwise)
whenever practical. Note that this specification declines to recommend a
specific Unicode normalization form in the hope that implementers will do
the right thing.

Case-folding of password inputs is strongly discouraged, i.e., passwords
should always be treated case-sensitively."

- Marsh


From jeanphilippe.aumasson@gmail.com  Mar fÃ©v 19 06:43:10 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 3538 invoked by uid 89); 19 Feb 2013 06:43:10 -0000
Received: by simscan 1.4.0 ppid: 3532, pid: 3534, t: 0.3043s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ob0-f180.google.com) (209.85.214.180)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 06:43:10 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.214.180 as permitted sender)
Received: by mail-ob0-f180.google.com with SMTP id ef5so6154893obb.25
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 22:43:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type:content-transfer-encoding;
        bh=9VhjmEo956LNK27x8esrviE/C8L3UqB/gYK7UR8kU2Y=;
        b=ADWnnyMdxRwUnRgcVTAxUnYU4N16NG4Nz3TeRtVuHp721jfr7BbcRC8HIzfIM6GzeL
         7ghNcIdhrB7FVoWXCl5ZkfUCJ58iMv50mIOkElq7Oje1x8qRWXE2fqNzay9vBZ4uE2YK
         dJD21Ma0oIu7I/dyH1UTanz+EM/8DotTTsijPkjkKxeiL8MyZ5Zw45b3a6lixyo9Wp+p
         iYSUifZbuFXz9glzs3e31tv11rGaug7Jxt9u1jtbq3Y9Hr3rmBgHXcRF34cwy1p7/6Bp
         BS1vln95IJ8BDpjNmLr2xnrGEAnMcw78T7uayEN9/LN5ShEFGG3N28QYJFEMjhNbgRrm
         /DFQ==
X-Received: by 10.182.54.103 with SMTP id i7mr7054477obp.62.1361256188699;
 Mon, 18 Feb 2013 22:43:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.172.70 with HTTP; Mon, 18 Feb 2013 22:42:48 -0800 (PST)
In-Reply-To: <000001ce0e1e$a15ac010$e4104030$@acm.org>
References: <003301ce0e08$384a1730$a8de4590$@acm.org> <51227A51.7090602@dei.uc.pt>
 <467242033.24953.1361220029545.open-xchange@email.1and1.com> <000001ce0e1e$a15ac010$e4104030$@acm.org>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 19 Feb 2013 07:42:48 +0100
Message-ID: <CAGiyFdef0B_epjBY5kmFvaRnsKB5cXuF_AwR3=SxAqp6OjNYFQ@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHC] Q: int return from PHS()

On Mon, Feb 18, 2013 at 10:26 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> !? (glad I asked)
>
> If PHS( ) returns the length of the data delivered in the output buffer, =
type disharmony is avoided by (1) making the result a size_t or (2) making =
outlen an int.  In case (1), 0 is probably the failure result.  In case (2)=
 negative results can signify errors (and 0 is a strange success case?).  I=
'm not clear whether (2) is now considered an archaic device.  I'm agnostic=
 about that.  I just want definiteness.
>
> If PHS( ) returns a straightforward result code (with 0 signifying succes=
s), I would expect that outlen is a request for a specific size of result a=
nd the function should fail if it can't deliver.
>

As the call states, at least the value 16 (i.e., 16 bytes) should be
supported. The function may then return an error (a non-zero value) if
the outlen received is not supported.


> In the case of failure/error in either case, the content of the output bu=
ffer should be considered unpredictable and should also not leak anything. =
 (If it were up to me, I'd always clear the output buffer at the beginning =
and endeavor to leave it that way except just before a success return.)
>

We don't care about such leaks in a reference implementation (as
opposed to a production implementation).

> -----Original Message-----
> From: Steve Thomas [mailto:steve@tobtu.com]
> Sent: Monday, February 18, 2013 12:40
> To: discussions@password-hashing.net
> Subject: Re: [PHC] Q: int return from PHS()
>
>> On February 18, 2013 at 1:00 PM Samuel Neves <sneves@dei.uc.pt> wrote:
>>
>>
>> On 18-02-2013 18:46, Dennis E. Hamilton wrote:
>> > Reference implementations for submissions are requested to provide an =
API
>> > having signature int PHS( ...)
>> >
>> > What are the prescribed return values and their significance?
>> >
>> > - Dennis
>> >
>> > PS: Sorry if this has been asked. I haven't found the list archive yet=
.
>> >
>> It has not been asked.
>>
>> In typical C fashion, return value should be 0 for success, and
>> otherwise for any error that may occur during computation. Error codes,
>> if any, should be up to implementors, since sources of error may wildly
>> vary between schemes/implementations.
>
> I was under the impression that the return value was the amount of data c=
opied to the output buffer.
>

From jeanphilippe.aumasson@gmail.com  Mar fÃ©v 19 06:48:27 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 4062 invoked by uid 89); 19 Feb 2013 06:48:26 -0000
Received: by simscan 1.4.0 ppid: 4056, pid: 4058, t: 0.2944s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ob0-f181.google.com) (209.85.214.181)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 06:48:26 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.214.181 as permitted sender)
Received: by mail-ob0-f181.google.com with SMTP id ni5so6301166obc.26
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 22:48:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=czeHi10WTd8vCi/s914+zQJHHCQbzVAuKzMjpQbS32A=;
        b=AscWitpP1/GqPkLJ9aUM32+BYpDTubIdsejankigPH5XxiCCkm79CiUMamLzk6tSUE
         bDQhlIHaW58etzZU7Ys6MKu5zE+N6IVRGGOm3deG1ixCcGUVByb7bIi+e2EpEokJ2Kko
         MTnYjMQ1+O3Cnc1PMDCk360ZjhhQzNVOrGJ+adNLb0V/NS6CZCDgD3Q6dFZq12WNkdaN
         xHBsd/5aj7G9AI29SudU/qFCZ//Ug209C4wOXJ8EKC7iifCddFgdAx+aLcfKxlstNeWW
         Cc7ywOrjJjJvWDPn09wc4UDQFiY4NIRH52cTGvjeNSHkQKvfUCrQHbun64JplEqeOTaq
         EMqw==
X-Received: by 10.60.24.162 with SMTP id v2mr7233410oef.96.1361256504921; Mon,
 18 Feb 2013 22:48:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.172.70 with HTTP; Mon, 18 Feb 2013 22:48:04 -0800 (PST)
In-Reply-To: <20130218214819.GA20645@openwall.com>
References: <003601ce0e0d$67ad08c0$37071a40$@acm.org> <20130218214819.GA20645@openwall.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 19 Feb 2013 07:48:04 +0100
Message-ID: <CAGiyFdeuvnn9nUG7F++SbAa2B9mpU60izPjOzYT03a_u77mpgA@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Q: Reference t_cost and m_cost parameters

On Mon, Feb 18, 2013 at 10:48 PM, Solar Designer <solar@openwall.com> wrote:
> On Mon, Feb 18, 2013 at 11:23:16AM -0800, Dennis E. Hamilton wrote:
>> For the candidate reference-implementation API, the t_cost and m_cost
>> parameters are apparently unitless values related to time cost and space
>> (memory cost).
>>
>> Is there some standard definition for these, so that one can substitute
>> implementations but not need to know the implementation to know the
>> consequences?
>>
>> Or is it presumed that a candidate specify how these are interpreted
>
> I think it's the latter.
>

It is: for example m_cost=2 does not mean "2 megabytes", t_cost=100
does not (and cannot) mean "100 cpu cycles", etc.

t_cost and m_cost may (and will probably) accept different ranges of
values for different submissions. We did not want to impose a specific
range, as it would have restricted designers (although any countable
range can be mapped to [0;1], though with limited precision).

>
>> By fixed I mean that the salt and the cost parameters would be either stored
>> or otherwise preserved between creation of a hash and recomputation of the
>> hash for authentication of a password.
>
> Oh, that's a different aspect from what you wrote in the previous few
> paragraphs.  Yes, it is expected that the parameter values, except for
> secrets, will be stored along with the hashes or with the encrypted
> data (if the scheme is used as a KDF).  This is beyond scope of PHC,
> although we may discuss it in here.
>

That's also my understanding.

From dennis.hamilton@acm.org  Mar fÃ©v 19 07:01:03 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 4962 invoked by uid 89); 19 Feb 2013 07:01:03 -0000
Received: by simscan 1.4.0 ppid: 4956, pid: 4958, t: 0.3482s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 07:01:03 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:34614 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7hBy-001z7u-G4; Tue, 19 Feb 2013 02:00:57 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Cc: <jeanphilippe.aumasson@gmail.com>
References: <003301ce0e08$384a1730$a8de4590$@acm.org> <51227A51.7090602@dei.uc.pt> <467242033.24953.1361220029545.open-xchange@email.1and1.com> <000001ce0e1e$a15ac010$e4104030$@acm.org> <CAGiyFdef0B_epjBY5kmFvaRnsKB5cXuF_AwR3=SxAqp6OjNYFQ@mail.gmail.com>
In-Reply-To: <CAGiyFdef0B_epjBY5kmFvaRnsKB5cXuF_AwR3=SxAqp6OjNYFQ@mail.gmail.com>
Date: Mon, 18 Feb 2013 23:00:27 -0800
Organization: NuovoDoc
Message-ID: <003101ce0e6e$d4c2f120$7e48d360$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQKDmOkVwMq2eLVP4PiRDGgbvXBtxgJ1CJ9xAjfY7LwBnz979wCal7Ymlt51OvA=
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Q: int return from PHS()

What I don't know is which case it is?

I have one response that says the returned int is a result code, with 0 for
success.

I have another response that says the returned int is the size of hash that
was actually produced.

What's intended?  Or is it implementation-defined?

 - Dennis

-----Original Message-----
From: Jean-Philippe Aumasson [mailto:jeanphilippe.aumasson@gmail.com] 
Sent: Monday, February 18, 2013 22:43
To: discussions@password-hashing.net
Subject: Re: [PHC] Q: int return from PHS()

On Mon, Feb 18, 2013 at 10:26 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> !? (glad I asked)
>
> If PHS( ) returns the length of the data delivered in the output buffer,
type disharmony is avoided by (1) making the result a size_t or (2) making
outlen an int.  In case (1), 0 is probably the failure result.  In case (2)
negative results can signify errors (and 0 is a strange success case?).  I'm
not clear whether (2) is now considered an archaic device.  I'm agnostic
about that.  I just want definiteness.
>
> If PHS( ) returns a straightforward result code (with 0 signifying
success), I would expect that outlen is a request for a specific size of
result and the function should fail if it can't deliver.
>

As the call states, at least the value 16 (i.e., 16 bytes) should be
supported. The function may then return an error (a non-zero value) if
the outlen received is not supported.


> In the case of failure/error in either case, the content of the output
buffer should be considered unpredictable and should also not leak anything.
(If it were up to me, I'd always clear the output buffer at the beginning
and endeavor to leave it that way except just before a success return.)
>

We don't care about such leaks in a reference implementation (as
opposed to a production implementation).

> -----Original Message-----
> From: Steve Thomas [mailto:steve@tobtu.com]
> Sent: Monday, February 18, 2013 12:40
> To: discussions@password-hashing.net
> Subject: Re: [PHC] Q: int return from PHS()
>
>> On February 18, 2013 at 1:00 PM Samuel Neves <sneves@dei.uc.pt> wrote:
>>
>>
>> On 18-02-2013 18:46, Dennis E. Hamilton wrote:
>> > Reference implementations for submissions are requested to provide an
API
>> > having signature int PHS( ...)
>> >
>> > What are the prescribed return values and their significance?
>> >
>> > - Dennis
>> >
>> > PS: Sorry if this has been asked. I haven't found the list archive yet.
>> >
>> It has not been asked.
>>
>> In typical C fashion, return value should be 0 for success, and
>> otherwise for any error that may occur during computation. Error codes,
>> if any, should be up to implementors, since sources of error may wildly
>> vary between schemes/implementations.
>
> I was under the impression that the return value was the amount of data
copied to the output buffer.
>


From jeanphilippe.aumasson@gmail.com  Mar fÃ©v 19 07:04:59 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 5207 invoked by uid 89); 19 Feb 2013 07:04:59 -0000
Received: by simscan 1.4.0 ppid: 5201, pid: 5203, t: 0.3337s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-oa0-f46.google.com) (209.85.219.46)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 07:04:58 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.219.46 as permitted sender)
Received: by mail-oa0-f46.google.com with SMTP id k1so6582972oag.19
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 23:04:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=MN926bPj83TbCxxg1DnToO5GZ25quKBxvw2kf5wp/yE=;
        b=02Lc/WEP9ibcV8fyfjA8iYYGZGCfuUB47fFgg3LdvgUPXDHSFUgWEjLDBU8duzyx7U
         ckBgpG+xdPAaMJMtZTWrb/63btJh1y67EOgKT/vnHvZGq7zf2sF740MlAhLze8+D9vyo
         SSYnNmtNHTuWUAbfqZhp8KmKG8vg8H8LFTP7hvzaS6/maTksDrwwZsxdMOgxZXnaTD6z
         iW0nPdBEfXnw8q6ogE69f4yV9CAvajYodyGkAGgzZpwaflEgfBF9+PyfJYoGYdh1xtdf
         8U46RbJM0awvpdJNlhBT9CbCulCiDxp7FNitN7txNq0tltQ9TAQx0tTblG3KI8KODlLD
         6A3w==
X-Received: by 10.182.112.34 with SMTP id in2mr7233760obb.80.1361257497273;
 Mon, 18 Feb 2013 23:04:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.172.70 with HTTP; Mon, 18 Feb 2013 23:04:37 -0800 (PST)
In-Reply-To: <003101ce0e6e$d4c2f120$7e48d360$@acm.org>
References: <003301ce0e08$384a1730$a8de4590$@acm.org> <51227A51.7090602@dei.uc.pt>
 <467242033.24953.1361220029545.open-xchange@email.1and1.com>
 <000001ce0e1e$a15ac010$e4104030$@acm.org> <CAGiyFdef0B_epjBY5kmFvaRnsKB5cXuF_AwR3=SxAqp6OjNYFQ@mail.gmail.com>
 <003101ce0e6e$d4c2f120$7e48d360$@acm.org>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 19 Feb 2013 08:04:37 +0100
Message-ID: <CAGiyFdfJJaa4eb7oHwPVkUSeNDy8jZh5R=n+9a+UxMtoavEHsA@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Q: int return from PHS()

Like Samuel said, the call does not set any rule for return values,
however it is expected that implementers return 0 upon success, and
something else upon error.


On Tue, Feb 19, 2013 at 8:00 AM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> What I don't know is which case it is?
>
> I have one response that says the returned int is a result code, with 0 for
> success.
>
> I have another response that says the returned int is the size of hash that
> was actually produced.
>
> What's intended?  Or is it implementation-defined?
>
>  - Dennis
>
> -----Original Message-----
> From: Jean-Philippe Aumasson [mailto:jeanphilippe.aumasson@gmail.com]
> Sent: Monday, February 18, 2013 22:43
> To: discussions@password-hashing.net
> Subject: Re: [PHC] Q: int return from PHS()
>
> On Mon, Feb 18, 2013 at 10:26 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> !? (glad I asked)
>>
>> If PHS( ) returns the length of the data delivered in the output buffer,
> type disharmony is avoided by (1) making the result a size_t or (2) making
> outlen an int.  In case (1), 0 is probably the failure result.  In case (2)
> negative results can signify errors (and 0 is a strange success case?).  I'm
> not clear whether (2) is now considered an archaic device.  I'm agnostic
> about that.  I just want definiteness.
>>
>> If PHS( ) returns a straightforward result code (with 0 signifying
> success), I would expect that outlen is a request for a specific size of
> result and the function should fail if it can't deliver.
>>
>
> As the call states, at least the value 16 (i.e., 16 bytes) should be
> supported. The function may then return an error (a non-zero value) if
> the outlen received is not supported.
>
>
>> In the case of failure/error in either case, the content of the output
> buffer should be considered unpredictable and should also not leak anything.
> (If it were up to me, I'd always clear the output buffer at the beginning
> and endeavor to leave it that way except just before a success return.)
>>
>
> We don't care about such leaks in a reference implementation (as
> opposed to a production implementation).
>
>> -----Original Message-----
>> From: Steve Thomas [mailto:steve@tobtu.com]
>> Sent: Monday, February 18, 2013 12:40
>> To: discussions@password-hashing.net
>> Subject: Re: [PHC] Q: int return from PHS()
>>
>>> On February 18, 2013 at 1:00 PM Samuel Neves <sneves@dei.uc.pt> wrote:
>>>
>>>
>>> On 18-02-2013 18:46, Dennis E. Hamilton wrote:
>>> > Reference implementations for submissions are requested to provide an
> API
>>> > having signature int PHS( ...)
>>> >
>>> > What are the prescribed return values and their significance?
>>> >
>>> > - Dennis
>>> >
>>> > PS: Sorry if this has been asked. I haven't found the list archive yet.
>>> >
>>> It has not been asked.
>>>
>>> In typical C fashion, return value should be 0 for success, and
>>> otherwise for any error that may occur during computation. Error codes,
>>> if any, should be up to implementors, since sources of error may wildly
>>> vary between schemes/implementations.
>>
>> I was under the impression that the return value was the amount of data
> copied to the output buffer.
>>
>

From jeanphilippe.aumasson@gmail.com  Mar fÃ©v 19 07:06:53 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 5394 invoked by uid 89); 19 Feb 2013 07:06:53 -0000
Received: by simscan 1.4.0 ppid: 5388, pid: 5390, t: 0.2909s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-oa0-f42.google.com) (209.85.219.42)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 07:06:53 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.219.42 as permitted sender)
Received: by mail-oa0-f42.google.com with SMTP id i18so6653398oag.1
        for <discussions@password-hashing.net>; Mon, 18 Feb 2013 23:06:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=ZgIMpDkqGShQbB+FytAg1vr7YjP1AnGlnuOqsmKErxU=;
        b=gU99GwwA7yOfcnKoKUV2sSfL9sLgyIz69qMRQ7lJlcnwMr6dgEwTcqY+Eg6ggnP0bn
         8K2VQs5bYghz1qgjtzSs3zF3Zey34oQcQH6EFAJ1lQqmeHTi5tN7dxSQ6SY/ErNipXne
         Vy/TruY768F1smt/5nvqsRFn4tEQJO8EbFDRVBX8VScaR0WIsJ534yT+kzRKtOhtXtIH
         MvkdHubPxqt4txKVUGmB9MtllbmNSxQUw0WNLi7Bm3OQYVxfYOy/dgRPlg5lxVIpdXqB
         u9xZDAGxA776VobtZiuvgt0dweBfSfF1YxkW/VdIZEvs1adLCJrnB6Dj/YiepgKsvYOr
         qkjw==
X-Received: by 10.182.49.102 with SMTP id t6mr7068011obn.75.1361257611626;
 Mon, 18 Feb 2013 23:06:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.172.70 with HTTP; Mon, 18 Feb 2013 23:06:31 -0800 (PST)
In-Reply-To: <20130218230035.GC20985@openwall.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 19 Feb 2013 08:06:31 +0100
Message-ID: <CAGiyFdf0Fq4Toos9yeGUQLZgwOi3=sdS29JtqfBdzSsHg0UiAg@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Tue, Feb 19, 2013 at 12:00 AM, Solar Designer <solar@openwall.com> wrote:
> "Comprehensive set of test vectors (preferably including non-ASCII
> characters)."
>
> Perhaps this should be changed to:
>
> "Comprehensive set of test vectors (preferably including all byte values
> in the 0 to 0xFF range for both the password and the salt inputs)."
>

Agree, the non-ASCII thing was confusing. The call has been revised.

From bugbee@mac.com  Mar fÃ©v 19 08:07:51 2013 +0000
Return-Path: <bugbee@mac.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 9991 invoked by uid 89); 19 Feb 2013 08:07:50 -0000
Received: by simscan 1.4.0 ppid: 9984, pid: 9987, t: 0.3420s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO nk11p03mm-asmtp002.mac.com) (17.158.232.237)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 08:07:50 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at mac.com designates 17.158.232.237 as permitted sender)
Received: from [192.168.1.105] ([76.104.203.117]) by nk11p03mm-asmtp002.mac.com
 (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul
 13 2012)) with ESMTPSA id <0MIG009HDJWSON90@nk11p03mm-asmtp002.mac.com> for
 discussions@password-hashing.net; Tue, 19 Feb 2013 08:07:41 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.9.8327,1.0.431,0.0.0000
 definitions=2013-02-18_07:2013-02-18,2013-02-18,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 ipscore=0 suspectscore=1 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001
 definitions=main-1302190001
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Larry Bugbee <bugbee@mac.com>
In-reply-to: <001f01ce0e49$f7742ab0$e65c8010$@acm.org>
Date: Tue, 19 Feb 2013 00:07:40 -0800
Content-transfer-encoding: quoted-printable
Message-id: <36E82368-2033-4AC0-AF88-E6DB67EB4B84@mac.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
 <20130218230035.GC20985@openwall.com>
 <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
 <001f01ce0e49$f7742ab0$e65c8010$@acm.org>
To: discussions@password-hashing.net
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

Hi Dennis,

First let me say I agree with the proposed numeric representations, we =
only deal with bytes, and all encoding transformations happen external =
to PHS() such that only agnostic bytes are fed to the algorithm.

...to which I would add a requirement the input bytes be in network byte =
order (big endian) as it is arguably the more neutral byte order (little =
endian can have several variants).  ...and the exact format of the =
stored hashes be likewise specified so implementations on other-endian =
CPUs can safely use the file/DB.  ...and like RFCs and the NIST docs, =
perhaps we not speak of bytes but octets?

My preference for a specification of a byte order is motivated in part =
by previous problems when building big endian implementations of =
algorithms that were specified in terms of 32-bit little endian word =
operations.  In one case, an encryption algorithm, I got my code to work =
against the published test vectors, but it failed in the real world.  =
After a lot of frustration (debugging) the cause turned out to be the =
vector bytes were *already* in little endian byte order, but unspecified =
as such.  To make a long story short, I had to fight endianness issues =
all the way thru the algorithm without the benefit of reliable test =
vectors or another big endian implementation as a reference.  (Sorry, =
this was years ago and I do not remember which algorithm.  If it comes =
to me I'll share.)

That said, internal algorithm details are the province of the designer, =
but I believe all interface details should be unambigiously specified if =
we want interchangeability. =20

Larry


=
--------------------------------------------------------------------------=
--------
On Feb 18, 2013, at 6:36 PM, "Dennis E. Hamilton" =
<dennis.hamilton@acm.org> wrote:

> @Larry,
>=20
> That makes perfect sense to me but I don't understand the addendum =
about
> network byte order.
>=20
> What does network byte order mean in the context of a C Language array =
in
> storage?  Is that the same as ordering in[0], in[1], ..., in[inlen-1] =
and,
> with regard to accepting serial input from a byte stream, the array is
> filled with the first arrival at in[0], the second at in[1], etc.?
>=20
> I assume this is the mapping that is also sensible with regard to how =
digest
> algorithms are specified in terms of storage blocks.  (If there is a
> big-/little-endian assumption on framing these into multi-byte logical
> words, that is for the interior of the implementation to deal with, in =
my
> understanding.)
>=20
> Is there something that I am missing in what you are saying?
>=20
> - Dennis
>=20
> -----Original Message-----
> From: Larry Bugbee [mailto:bugbee@mac.com]=20
> Sent: Monday, February 18, 2013 15:57
> To: discussions@password-hashing.net
> Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )
>=20
> On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> =
wrote:
>> In PHS(), we deal with bytes.
>=20
> +1
>=20
> ...and said bytes/byte strings/byte arrays should be specified to be =
in
> network byte order.
>=20
>=20


From bugbee@mac.com  Mar fÃ©v 19 09:35:16 2013 +0000
Return-Path: <bugbee@mac.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 16489 invoked by uid 89); 19 Feb 2013 09:35:16 -0000
Received: by simscan 1.4.0 ppid: 16483, pid: 16485, t: 0.4238s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO nk11p03mm-asmtp001.mac.com) (17.158.232.236)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 09:35:15 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at mac.com designates 17.158.232.236 as permitted sender)
Received: from [192.168.1.105] ([76.104.203.117]) by nk11p03mm-asmtp001.mac.com
 (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul
 13 2012)) with ESMTPSA id <0MIG00GNCNYOII40@nk11p03mm-asmtp001.mac.com> for
 discussions@password-hashing.net; Tue, 19 Feb 2013 09:35:13 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.9.8327,1.0.431,0.0.0000
 definitions=2013-02-18_07:2013-02-18,2013-02-18,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 ipscore=0 suspectscore=1 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001
 definitions=main-1302190022
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Larry Bugbee <bugbee@mac.com>
In-reply-to: <36E82368-2033-4AC0-AF88-E6DB67EB4B84@mac.com>
Date: Tue, 19 Feb 2013 01:35:12 -0800
Content-transfer-encoding: 7bit
Message-id: <B5EB3DC0-F72E-4ACD-BBCF-6FE42EEC7BF1@mac.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org>
 <20130218230035.GC20985@openwall.com>
 <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com>
 <001f01ce0e49$f7742ab0$e65c8010$@acm.org>
 <36E82368-2033-4AC0-AF88-E6DB67EB4B84@mac.com>
To: discussions@password-hashing.net
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

On Feb 19, 2013, at 12:07 AM, Larry Bugbee <bugbee@mac.com> wrote:
> ...all interface details should be unambigiously specified...

Now or later, but fully specified/documented.  

I can live with fully documented later unless it is a requirement going in.



From pgut001@cs.auckland.ac.nz  Mar fÃ©v 19 10:22:18 2013 +0000
Return-Path: <pgut001@cs.auckland.ac.nz>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20083 invoked by uid 89); 19 Feb 2013 10:22:17 -0000
Received: by simscan 1.4.0 ppid: 20053, pid: 20068, t: 1.0315s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mx2.auckland.ac.nz) (130.216.125.244)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 10:22:16 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at cs.auckland.ac.nz does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz;
  q=dns/txt; s=uoa; t=1361269337; x=1392805337;
  h=from:to:subject:date:message-id:
   content-transfer-encoding:mime-version;
  bh=GeuRZp2nw/FAhTMZoVEBYVF2UDURDjyjutyGSU6rqdU=;
  b=U45lPgbjJMZULEk0/Lh+ClxjJkrKyGq9+gN+K5Ao3JDY8z3sBvdSYMcr
   lgleW7IWW3YAQrs1bwghRhn3w3piHAKK8PcqMekXtbzgg5q359zQYT21Z
   o5Hi/UfAPBtil9Phhxu51DyWeDSiDQNqrXpQOW+sv13pzwjaVH6qsDE2/
   k=;
X-IronPort-AV: E=Sophos;i="4.84,694,1355050800"; 
   d="scan'208";a="171155789"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106])
  by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 19 Feb 2013 23:22:12 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by
 uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id
 14.02.0318.004; Tue, 19 Feb 2013 23:22:11 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Any "large verifiers" on the panel?
Thread-Index: Ac4OivoNU4wzNaGATsGMLT12K5uE1w==
Date: Tue, 19 Feb 2013 10:22:10 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E2C3@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [PHC] Any "large verifiers" on the panel?

[Apparently my posts to the list have been getting lost, this is an attempt=
 to=0A=
 re-post from an alternate system.  Apologies if you've seen some of these=
=0A=
 before]=0A=
=0A=
Jeffrey Goldberg <Jeffrey@goldmark.org> writes:=0A=
=0A=
>Basically, it would be really sucky to settle upon a winner and then have=
=0A=
>sites and services say, "we won't use that because we can't manage our=0A=
>verification costs the way we need to."=0A=
=0A=
Oh, we don't need a "large verifier" to tell us that.  If we have a symmetr=
ic=0A=
winner then any site with any significant number of users will say "we won'=
t=0A=
use that because we can't manage our verification costs the way we need to"=
.=0A=
This is why I asked for an asymmetric option for the CFP, alongside the O( =
n )=0A=
everywhere for smaller sites we also need an O( 1 ) on the server, O( n ) o=
n=0A=
the client for larger users, so some sort of trapdoor-function iterated-=0A=
hashing mechanism perhaps.=0A=
=0A=
Peter.=

From pgut001@cs.auckland.ac.nz  Mar fÃ©v 19 10:23:16 2013 +0000
Return-Path: <pgut001@cs.auckland.ac.nz>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20237 invoked by uid 89); 19 Feb 2013 10:23:15 -0000
Received: by simscan 1.4.0 ppid: 20231, pid: 20233, t: 0.7636s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mx2.auckland.ac.nz) (130.216.125.244)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 10:23:15 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at cs.auckland.ac.nz does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz;
  q=dns/txt; s=uoa; t=1361269395; x=1392805395;
  h=from:to:subject:date:message-id:
   content-transfer-encoding:mime-version;
  bh=0GTOC4TzCLqaTJUZZ25QqcTlkVQKzf7wUqTL/I0V5ts=;
  b=hQ9EQCHFJnAh8aXqVSPTQgON8gRZxrGhQSl8i8Aig0PogLEkhwwAPres
   dHCVFVtDt9D7rF5Sj+QZWLpzh11/hDm2lfVkZRKIYTRxEWO08L2BWDzNc
   sYQqyECIOVQ8nuMxFfSa2ZbDTTjBNJ3Xyjena3r4hhLasmlxtam42Bfff
   U=;
X-IronPort-AV: E=Sophos;i="4.84,694,1355050800"; 
   d="scan'208";a="171155950"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112])
  by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 19 Feb 2013 23:23:09 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by
 uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id
 14.02.0318.004; Tue, 19 Feb 2013 23:23:08 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Any "large verifiers" on the panel?
Thread-Index: Ac4OixwcIBDyVGjbROal0SJR4MGhFQ==
Date: Tue, 19 Feb 2013 10:23:07 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E2D0@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [PHC] Any "large verifiers" on the panel?

Jeremi Gosney <epixoip@bindshell.nl> writes:=0A=
=0A=
>We are not assuming a complete compromise (i.e., root access) here. We're=
=0A=
>merely assuming an attacker who is able to execute arbitrary code in the=
=0A=
>context of the web server or webapp.=0A=
=0A=
We're not assuming that either.  What people are assuming is whatever level=
 of=0A=
attack they need to in order to justify their design idea.  We don't really=
=0A=
have a set threat model.  More specifically, we have what I call the=0A=
Inside-Out Threat Model in my book, "The threat is whatever our solution ca=
n=0A=
defend against".  To that end, could I suggest as a starting point the=0A=
following three levels of attacker:=0A=
=0A=
1. Read-only (file) access to the system.  Easiest to obtain.  Defeats poor=
ly-=0A=
   stored authenticators.=0A=
=0A=
2. Read/write (file) access to the system.  Somewhat harder than (1).  Defe=
ats=0A=
   most mechanisms (add your credentials to the user database and you're in=
).=0A=
=0A=
3. Anything else (memory read, code execution, etc).  Defeats pretty much=
=0A=
   anything, including HSMs.=0A=
=0A=
We're defending against (1), and can defend against (2) if the credentials =
are=0A=
stored MAC'd/protected via a machine-specific secret so new credentials can=
't=0A=
be injected.  We can't defend against (3).=0A=
=0A=
Alternatively, we could list the non-goals of the exercise, things that the=
=0A=
design is not expected to be able to do.=0A=
=0A=
Peter.=0A=

From pgut001@cs.auckland.ac.nz  Mar fÃ©v 19 10:23:38 2013 +0000
Return-Path: <pgut001@cs.auckland.ac.nz>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20360 invoked by uid 89); 19 Feb 2013 10:23:38 -0000
Received: by simscan 1.4.0 ppid: 20352, pid: 20354, t: 0.7349s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mx2.auckland.ac.nz) (130.216.125.244)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 10:23:37 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at cs.auckland.ac.nz does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz;
  q=dns/txt; s=uoa; t=1361269418; x=1392805418;
  h=from:to:subject:date:message-id:
   content-transfer-encoding:mime-version;
  bh=2KCPGNN67pQ0T5w/zGGfo55u+WM9jtuyyPZIyat6CbE=;
  b=NhNTw2LXIOQidKMOzRsYY7Idfa9Xm/8bfZAJapX3S/5GhYYFpj44mNrh
   /bkww6C28YZ65ALr8tfa92LDFHrrhyu1JOLKo+28M6DshRY+CGUyZgww1
   UG4jV5uUNkpxC9le96bfOeMg0VY8SURdQL8iMZlEn5xTT6YKcSPDc+PHL
   0=;
X-IronPort-AV: E=Sophos;i="4.84,694,1355050800"; 
   d="scan'208";a="171156040"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112])
  by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 19 Feb 2013 23:23:35 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by
 uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id
 14.02.0318.004; Tue, 19 Feb 2013 23:23:34 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC panel] Reply-To
Thread-Index: Ac4Oiyu4cQeOO76sTGaZwPGaNSeL6g==
Date: Tue, 19 Feb 2013 10:23:33 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E2DD@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [PHC panel] Reply-To

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> writes:=0A=
=0A=
>Noticed the #phc collisions;=0A=
=0A=
Sheesh, a password-derivation discussion list and we're not using a salt, n=
o=0A=
wonder there are collisions.  I propose #18b99d04a379346451e9f7a2c1410179ph=
c.=0A=
=0A=
Peter.=0A=

From pgut001@cs.auckland.ac.nz  Mar fÃ©v 19 10:24:08 2013 +0000
Return-Path: <pgut001@cs.auckland.ac.nz>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 20474 invoked by uid 89); 19 Feb 2013 10:24:08 -0000
Received: by simscan 1.4.0 ppid: 20465, pid: 20470, t: 0.7665s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mx2.auckland.ac.nz) (130.216.125.244)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 19 Feb 2013 10:24:07 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at cs.auckland.ac.nz does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz;
  q=dns/txt; s=uoa; t=1361269448; x=1392805448;
  h=from:to:subject:date:message-id:
   content-transfer-encoding:mime-version;
  bh=klDWrHENOy3KkWanNLiFcIpMVlWDluoWoOqMt3qGqWQ=;
  b=reeSHdc2s6SRomUQhuUGpxQI460XzVwFiak11YTJfhF8UsJfBrdDolP8
   WKqaw1mo59qwOoVQcUWKnvc2J2RM3eyPVK7hTxrwrb80dKUHMdFMT9gu9
   i5ROivAv+IYDlzPDU9TOGNjW7hpSTtXTLo31tHFbvqEJpHyP/iC1RAChH
   w=;
X-IronPort-AV: E=Sophos;i="4.84,694,1355050800"; 
   d="scan'208";a="171156119"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106])
  by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 19 Feb 2013 23:24:05 +1300
Received: from UXCHANGE10-FE4.UoA.auckland.ac.nz (130.216.4.171) by
 uxchange10-fe2.UoA.auckland.ac.nz (130.216.4.106) with Microsoft SMTP Server
 (TLS) id 14.2.318.4; Tue, 19 Feb 2013 23:24:04 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by
 uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id
 14.02.0318.004; Tue, 19 Feb 2013 23:24:04 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Thread-Topic: [PHC] Coding of the in[inlen] array for PHS( )
Thread-Index: Ac4Oiz2vHf4bS5fpSLid7JzJLBYGOA==
Date: Tue, 19 Feb 2013 10:24:03 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E2EA@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

"Dennis E. Hamilton" <dennis.hamilton@acm.org> writes:=0A=
=0A=
>It is probably necessary to specify that the values must be between 0x00 a=
nd=0A=
>0xFF as well=0A=
=0A=
And explicitly include test vectors with unusual values, 0x00, 0x80, 0x81,=
=0A=
0xFF, to make sure an implementation isn't character-set sensitive.  The=0A=
original reference Blowfish implementation got its key setup wrong for=0A=
characters with the high bit set.=0A=
=0A=
Peter.=0A=

From havoc@defuse.ca  Mar fÃ©v 19 14:36:28 2013 +0000
Return-Path: <havoc@defuse.ca>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 5684 invoked by uid 89); 19 Feb 2013 14:36:28 -0000
Received: by simscan 1.4.0 ppid: 5677, pid: 5680, t: 0.4145s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO defuse.ca) (199.19.106.141)
  by qmailtoaster.cryptyx.com with SMTP; 19 Feb 2013 14:36:27 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at defuse.ca designates 199.19.106.141 as permitted sender)
Received: from [192.168.1.102] (S01065404a6902716.cg.shawcable.net [174.0.254.229])
	by defuse.ca (Postfix) with ESMTPSA id 2694129A600A
	for <discussions@password-hashing.net>; Tue, 19 Feb 2013 07:36:23 -0700 (MST)
Message-ID: <51238DE5.7000309@defuse.ca>
Date: Tue, 19 Feb 2013 07:36:21 -0700
From: havoc <havoc@defuse.ca>
Organization: https://defuse.ca/
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: discussions@password-hashing.net
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Required Output Key

It is important for the submissions to return two values:

(1) A standard hash for verification.
(2) A variable-length encryption key.

If an attacker has access to the hash list, they'll probably have access
to other data in the database (user's name, credit card number,
messages, etc.), and assuming a full compromise, the only way to secure
them is by encryption with a key derived from the user's password.

It's easy to create two different hashes of the single output and use
one as the hash and the other as the key. But if what's standardized
only defines a verification hash output, coders are going to have to
implement that themselves, and they're going to invent all sorts of
wacky and insecure stuff.

Some mistakes I can see happening:

1. Hashing the hash to get the key.
2. Using SHA256(password) as the key.
3. Re-running a different stretching algorithm on the password.
4. Using the hash as the key and a hash of the hash as the hash.
5. Deriving a 32-byte key from the 16-byte output.

... and so on ...

These are obvious mistakes to us, but we are cryptographers, and the
majority of coders using PHC are not. So either PHC should require
separate key/hash output parameters, or we should, in parallel, decide
upon the best scheme for deriving a (key,hash) pair from the single output.

What do you think?

Regards,
-- 
Havoc
(sorry for the nym -- I'll use my real name someday)

From dennis.hamilton@acm.org  Mar fÃ©v 19 17:55:00 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19606 invoked by uid 89); 19 Feb 2013 17:54:59 -0000
Received: by simscan 1.4.0 ppid: 19591, pid: 19598, t: 1.1183s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 17:54:58 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33527 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7rP6-002bgY-FF
	for discussions@password-hashing.net; Tue, 19 Feb 2013 12:54:56 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <51238DE5.7000309@defuse.ca>
In-Reply-To: <51238DE5.7000309@defuse.ca>
Date: Tue, 19 Feb 2013 09:54:54 -0800
Organization: NuovoDoc
Message-ID: <000001ce0eca$3a0398e0$ae0acaa0$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHB2iUQuBB9gu8cCX4/uVD6M//5BZiZ2UfQ
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Required Output Key

The common approach to this (illustrated by PBKDF2 but also other key
derivation functions) is to ask for a wider result and break it up into the
cryptographic parameters that are needed.  This happens, for example, with
authenticated encryption where an IV, symmetric key, and MAC key are all
needed.

So it is not necessary to have PHS( ) produce multiple results, it can
produce a wider result than just what is needed as an authentication
verifier.  

However, a successful attack on the part used as a password authenticator is
likely to be a successful attack on the rest of the PHS result.  Once the
authentication hash is compromised, one must assume that the key derivation
is as well.  (The negligible prospect of a collision on only the
authentication hash is a tolerable cost of doing business for determined
adversaries.)

It seems to me that we're right back at the problem of disclosed hashes and
the prevalence of poor passwords in situations where an off-line attack can
be carried out.

 - Dennis


-----Original Message-----
From: havoc [mailto:havoc@defuse.ca] 
Sent: Tuesday, February 19, 2013 06:36
To: discussions@password-hashing.net
Subject: [PHC] Required Output Key

It is important for the submissions to return two values:

(1) A standard hash for verification.
(2) A variable-length encryption key.

If an attacker has access to the hash list, they'll probably have access
to other data in the database (user's name, credit card number,
messages, etc.), and assuming a full compromise, the only way to secure
them is by encryption with a key derived from the user's password.

It's easy to create two different hashes of the single output and use
one as the hash and the other as the key. But if what's standardized
only defines a verification hash output, coders are going to have to
implement that themselves, and they're going to invent all sorts of
wacky and insecure stuff.

Some mistakes I can see happening:

1. Hashing the hash to get the key.
2. Using SHA256(password) as the key.
3. Re-running a different stretching algorithm on the password.
4. Using the hash as the key and a hash of the hash as the hash.
5. Deriving a 32-byte key from the 16-byte output.

... and so on ...

These are obvious mistakes to us, but we are cryptographers, and the
majority of coders using PHC are not. So either PHC should require
separate key/hash output parameters, or we should, in parallel, decide
upon the best scheme for deriving a (key,hash) pair from the single output.

What do you think?

Regards,
-- 
Havoc
(sorry for the nym -- I'll use my real name someday)


From dennis.hamilton@acm.org  Mar fÃ©v 19 17:55:01 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19634 invoked by uid 89); 19 Feb 2013 17:55:00 -0000
Received: by simscan 1.4.0 ppid: 19600, pid: 19622, t: 0.4186s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 17:54:59 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33527 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7rP8-002bgY-BB; Tue, 19 Feb 2013 12:54:58 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Cc: <maray@microsoft.com>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com> <20130219005344.GB22634@openwall.com> <001e01ce0e49$f6b08c90$e411a5b0$@acm.org> <218AE73F98E99C4C98AF7D5166AA798E0903752A@TK5EX14MBXC286.redmond.corp.microsoft.com> <003001ce0e66$c0a401f0$41ec05d0$@acm.org>
In-Reply-To: <003001ce0e66$c0a401f0$41ec05d0$@acm.org>
Date: Tue, 19 Feb 2013 09:54:54 -0800
Organization: NuovoDoc
Message-ID: <000201ce0eca$3b21b310$b1651930$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwNfv9d+Ai6aCXADHEL/rwHO9ZRSAbLw2vkDCTiMQZemttjg
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

Marsh,

An afterthought.

The great value of providing a clean, binary interface for PHS is for the
security model.  One can assume cryptographically random passwords and salts
and also control other variables, especially in a production implementation
(to the extent that timing attacks and other factors are of concern,
depending on the use case).  That's the best-case security model.

One can then look at application profiles and use cases to determine their
impact on the security model.  Since plaintext passwords are generally not
indistinguishable from random and it is known what failure to keep the hash
secret makes possible, for example, one can consider the threat model and
exposure of given application scenarios.  But to have a foundation for this,
I think one wants a very clean, understood security model at the PHS
function.

My intuition is that all of the issues are going to be in the application
profiles, their threat models, and how vulnerable those are to inept
implementation, insider failures, etc.

 - Dennis

-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] 
Sent: Monday, February 18, 2013 22:03
To: discussions@password-hashing.net
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

Thanks Marsh,

I would define PHS to work on arbitrary octet strings in the in[inlen]
array.  This is at the binary level.

Then I would treat the use of particular text encodings in an interoperable
use case, or application profile.  

There are also application profiles where pure binary is desired (e.g., as
in extending a weak use of a hash to one with much stronger protection of
the same password that creates the weak hash).

[I'm assuming there's a desire that PHS be usable underneath many use
cases.]

 - Dennis

-----Original Message-----
From: Marsh Ray [mailto:maray@microsoft.com] 
Sent: Monday, February 18, 2013 19:22
To: discussions@password-hashing.net
Cc: Dennis E. Hamilton 
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> 
> I am going to risk over-stating the obvious just to make certain that I,
as a
> newcomer, am on the same page about what the tacit understanding is
> concerning what PHS( ) effectively operates on.

Thank you :-)

This is definitely something that needs to be addressed by the final stage
of the PHC. But it's probably not urgent to finalize it now.

We might look at the history of the RADIUS authentication protocol. It
handles username and password data for a variety of clients and servers.

RFC 2058 https://tools.ietf.org/html/rfc2058#page-21 didn't define or
recommend an encoding for strings.
RFC 2865 https://tools.ietf.org/html/rfc2865#section-9 defined distinct
'text' and 'string' types "Text contains UTF-8 encoded 10646 characters and
String contains 8-bit binary data." Presumably this change was made to
encourage interoperability, the IETF tends not to invoke ISO 10646 or
Unicode lightly.

How about this wording:

"The function must be well-defined for all sequences of octets supplied to
the password input. Length constraints should be clearly defined parameters
of the algorithm and should generate an error result if violated. Password
inputs with embedded NUL (0x00) byte values are allowed and are treated as
significant (even trailing NULs).

However, to promote interoperability callers are strongly encouraged to
supply character data in the form of a sequence of minimal-length UTF-8
encoded ISO 10646 characters (not including any NULs trailing or otherwise)
whenever practical. Note that this specification declines to recommend a
specific Unicode normalization form in the hope that implementers will do
the right thing.

Case-folding of password inputs is strongly discouraged, i.e., passwords
should always be treated case-sensitively."

- Marsh


From dennis.hamilton@acm.org  Mar fÃ©v 19 17:55:01 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 19636 invoked by uid 89); 19 Feb 2013 17:55:00 -0000
Received: by simscan 1.4.0 ppid: 19599, pid: 19624, t: 0.5255s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Feb 2013 17:54:59 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33527 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U7rP7-002bgY-Fy
	for discussions@password-hashing.net; Tue, 19 Feb 2013 12:54:57 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
References: <000101ce0e23$af8f9570$0eaec050$@acm.org> <20130218230035.GC20985@openwall.com> <88702945-FB82-4B44-A68F-6A9F159F4077@mac.com> <001f01ce0e49$f7742ab0$e65c8010$@acm.org> <36E82368-2033-4AC0-AF88-E6DB67EB4B84@mac.com>
In-Reply-To: <36E82368-2033-4AC0-AF88-E6DB67EB4B84@mac.com>
Date: Tue, 19 Feb 2013 09:54:54 -0800
Organization: NuovoDoc
Message-ID: <000101ce0eca$3a9e7950$afdb6bf0$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH+j3KommtUi8+BH+f/eyitndITlwNfv9d+Ai6aCXABfYJM3QFucsoOl9yWYXA=
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Coding of the in[inlen] array for PHS( )

+1

The problem I had was with "network byte order" as a term of art here.  I
sense violent agreement.

I agree that the "big-endian" interpretation of in[inlen], salt[] and out[]
as representing a stream of bits is the only one that works and it is common
in specification of security primitives.  

It is better to not use the term though, and be specific about what the
abstract string of bits is relative to the C Language model, since that's
the API signature and contract.  That's what my TL;DR offering was about.

 - Dennis

PS: For me, big-endian is about interpretation of (specific-length) bit
strings as carriers for binary numerals, not about raw strings of contiguous
bits.  I expect that a specification based on blocking into words on which
arithmetic, masking, and shifting are done will be under a big-endian (and
2s complement) assumption.  

PPS: I should get a T-shirt that says I'm a "little-endian veteran of the
big-endian wars."  There is no earthly reason to specify word-sized
crypto-function operations in any other way than by what is called
big-endian representation.

-----Original Message-----
From: Larry Bugbee [mailto:bugbee@mac.com] 
Sent: Tuesday, February 19, 2013 00:08
To: discussions@password-hashing.net
Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )

Hi Dennis,

First let me say I agree with the proposed numeric representations, we only
deal with bytes, and all encoding transformations happen external to PHS()
such that only agnostic bytes are fed to the algorithm.

...to which I would add a requirement the input bytes be in network byte
order (big endian) as it is arguably the more neutral byte order (little
endian can have several variants).  ...and the exact format of the stored
hashes be likewise specified so implementations on other-endian CPUs can
safely use the file/DB.  ...and like RFCs and the NIST docs, perhaps we not
speak of bytes but octets?

My preference for a specification of a byte order is motivated in part by
previous problems when building big endian implementations of algorithms
that were specified in terms of 32-bit little endian word operations.  In
one case, an encryption algorithm, I got my code to work against the
published test vectors, but it failed in the real world.  After a lot of
frustration (debugging) the cause turned out to be the vector bytes were
*already* in little endian byte order, but unspecified as such.  To make a
long story short, I had to fight endianness issues all the way thru the
algorithm without the benefit of reliable test vectors or another big endian
implementation as a reference.  (Sorry, this was years ago and I do not
remember which algorithm.  If it comes to me I'll share.)

That said, internal algorithm details are the province of the designer, but
I believe all interface details should be unambigiously specified if we want
interchangeability.  

Larry


----------------------------------------------------------------------------
------
On Feb 18, 2013, at 6:36 PM, "Dennis E. Hamilton" <dennis.hamilton@acm.org>
wrote:

> @Larry,
> 
> That makes perfect sense to me but I don't understand the addendum about
> network byte order.
> 
> What does network byte order mean in the context of a C Language array in
> storage?  Is that the same as ordering in[0], in[1], ..., in[inlen-1] and,
> with regard to accepting serial input from a byte stream, the array is
> filled with the first arrival at in[0], the second at in[1], etc.?
> 
> I assume this is the mapping that is also sensible with regard to how
digest
> algorithms are specified in terms of storage blocks.  (If there is a
> big-/little-endian assumption on framing these into multi-byte logical
> words, that is for the interior of the implementation to deal with, in my
> understanding.)
> 
> Is there something that I am missing in what you are saying?
> 
> - Dennis
> 
> -----Original Message-----
> From: Larry Bugbee [mailto:bugbee@mac.com] 
> Sent: Monday, February 18, 2013 15:57
> To: discussions@password-hashing.net
> Subject: Re: [PHC] Coding of the in[inlen] array for PHS( )
> 
> On Feb 18, 2013, at 3:00 PM, Solar Designer <solar@openwall.com> wrote:
>> In PHS(), we deal with bytes.
> 
> +1
> 
> ...and said bytes/byte strings/byte arrays should be specified to be in
> network byte order.
> 
> 


From dfoxfranke@gmail.com  Mer fÃ©v 20 02:20:27 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 14431 invoked by uid 89); 20 Feb 2013 02:20:27 -0000
Received: by simscan 1.4.0 ppid: 14425, pid: 14427, t: 0.1977s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ee0-f50.google.com) (74.125.83.50)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 20 Feb 2013 02:20:27 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.83.50 as permitted sender)
Received: by mail-ee0-f50.google.com with SMTP id e51so3808946eek.23
        for <discussions@password-hashing.net>; Tue, 19 Feb 2013 18:20:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:date:message-id:subject:from:to
         :content-type;
        bh=3S6BP7tx7GsRtmC6RRySt/1ZBup+by+/CLbjJyznHkI=;
        b=yB2Z2ROmZxp9Mv26ie4NT63bDhJG1Ddr2BMHkDOy8rYBOb0/Et593S+YsbDgTZLBEK
         Kl28kUHWr5b5MvtoR+FqYmWgd1OkQzIYc6Cef+mtjbDZp4rUyNJZtB0QKGCZ+1KkuUzL
         6iFjDaQOwD+Kox1LjvGipTOvsdi4IJ1+rAVJxAwgNKe/wHTOjrgJm6qikMU5K7LMeJj7
         uvI5BivFdkWh8/cECLQY8SIDBNnYyhNG+768yuqhJ5+YK+A+YCLgIvRPKumY2iuE5B8l
         b0nGtmyPb7ACvMpMqOCeV8jRsGDSS4zDVMDep2bbaUAX/qeyMXjIZteiUK6KeB5h8LnP
         bCtA==
MIME-Version: 1.0
X-Received: by 10.14.200.137 with SMTP id z9mr63144891een.20.1361326826590;
 Tue, 19 Feb 2013 18:20:26 -0800 (PST)
Received: by 10.14.215.131 with HTTP; Tue, 19 Feb 2013 18:20:26 -0800 (PST)
Date: Tue, 19 Feb 2013 21:20:26 -0500
Message-ID: <CAJm83bAx7GA=9oSLbhrc68U6ydeJ+FZcgK7m6K09fst7XGnG6Q@mail.gmail.com>
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: A rubric for choosing cost parameters

>From the perspective of the administrator of a online service which is
required to keep up with a queue of incoming authentication requests,
the selection of cost parameters in a password-hashing scheme can be
considered as a trade-off between the following five factors:

1. m: the amount of memory that may be allocated toward the
password-hashing scheme. (smaller is better)

2. r: the number of authentication requests that can be processed per
unit time. (larger is better)

3-4. (l,\epsilon): except with probability \epsilon, the latency in
processing a given request does not exceed l. (smaller is better)

5. c: the security level of the scheme, in terms of the expected
monetary cost to the attacker of cracking a password within some fixed
time period. (larger is better)

Assume that the number of incoming requests during a unit time
interval follows a Poisson distribution with \lambda=r.

I think an appropriate way to guide the user through selecting
appropriate cost parameters is to allow the user to supply
worst-acceptable values for four of these five factors, and then
recommend cost parameters that optimize the fifth factor within
those constraints.

This suggestion, obviously, has in mind sophisticated users doing
capacity-planning for large-scale applications. For grandma's blog,
the Right Thing is to just automatically pick something reasonable and
get on with it.

From dfoxfranke@gmail.com  Mer fÃ©v 20 02:34:59 2013 +0000
Return-Path: <dfoxfranke@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 15087 invoked by uid 89); 20 Feb 2013 02:34:59 -0000
Received: by simscan 1.4.0 ppid: 15081, pid: 15083, t: 0.1817s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ea0-f172.google.com) (209.85.215.172)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 20 Feb 2013 02:34:58 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.215.172 as permitted sender)
Received: by mail-ea0-f172.google.com with SMTP id f13so3225705eaa.31
        for <discussions@password-hashing.net>; Tue, 19 Feb 2013 18:34:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=ysVa8xOqJ0AhES5VhVZGNysZ0gohD5gdvdiwlZorQ2E=;
        b=aQ4STfFne14LoiuorgkPcmsm2oKK6TUbxIE5ZYGFQJorGSj/i3pstT9VhDbpF1MExA
         mtdVi3RSL/Gs5enx116KoEkKJyFIZXfePycXbZX1WOfSHuZlcjhyfRJpLL33Ua8DLS1V
         dSJrRSEQpjdmN8Rjs/babINU68tZNX+0H+nP3j0B26URLntwlxka6hdSDvHpQsHMLeHi
         ow5mp5yV8PTb3lP0i0Ks3MfdEiof7TaUTD6T/XStuvUpFe5jUY27s06ZXBH8Oyo0Kxaa
         Bm/Raa25+INkGkwHtaIm/3OzL8KO7KI7B4TxCfxCU6fkVQ0nLWAxouKeQGW1CpZ+CfVN
         2TEQ==
MIME-Version: 1.0
X-Received: by 10.14.204.195 with SMTP id h43mr63827856eeo.14.1361327698459;
 Tue, 19 Feb 2013 18:34:58 -0800 (PST)
Received: by 10.14.215.131 with HTTP; Tue, 19 Feb 2013 18:34:58 -0800 (PST)
In-Reply-To: <CAJm83bAx7GA=9oSLbhrc68U6ydeJ+FZcgK7m6K09fst7XGnG6Q@mail.gmail.com>
References: <CAJm83bAx7GA=9oSLbhrc68U6ydeJ+FZcgK7m6K09fst7XGnG6Q@mail.gmail.com>
Date: Tue, 19 Feb 2013 21:34:58 -0500
Message-ID: <CAJm83bAy2UhP3W2MYPRx9BeSX552pz5dMLNjv9hLxts16WvEPg@mail.gmail.com>
From: Daniel Franke <dfoxfranke@gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: A rubric for choosing cost parameters

On Tue, Feb 19, 2013 at 9:20 PM, I <dfoxfranke@gmail.com> wrote:

> From the perspective of the administrator of a online service which is
> required to keep up with a queue of incoming authentication requests,
> the selection of cost parameters in a password-hashing scheme can be
> considered as a trade-off between the following five factors:
>
> 1. m: the amount of memory that may be allocated toward the
> password-hashing scheme. (smaller is better)
>
> 2. r: the number of authentication requests that can be processed per
> unit time. (larger is better)
>
> 3-4. (l,\epsilon): except with probability \epsilon, the latency in
> processing a given request does not exceed l. (smaller is better)
>
> 5. c: the security level of the scheme, in terms of the expected
> monetary cost to the attacker of cracking a password within some fixed
> time period. (larger is better)
>
> Assume that the number of incoming requests during a unit time
> interval follows a Poisson distribution with \lambda=r.
>
> I think an appropriate way to guide the user through selecting
> appropriate cost parameters is to allow the user to supply
> worst-acceptable values for four of these five factors, and then
> recommend cost parameters that optimize the fifth factor within
> those constraints.
>
> This suggestion, obviously, has in mind sophisticated users doing
> capacity-planning for large-scale applications. For grandma's blog,
> the Right Thing is to just automatically pick something reasonable and
> get on with it.

For some reason, as I was writing this I was thinking of CPU capacity as
being fixed. For capacity-planning purposes obviously doesn't make sense.
So, there's a sixth factor:

6. p: The maximum of CPU cores occupied with password-hashing (smaller
is better).

From jeanphilippe.aumasson@gmail.com  Sam fÃ©v 23 14:19:21 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 18529 invoked by uid 89); 23 Feb 2013 14:19:21 -0000
Received: by simscan 1.4.0 ppid: 18520, pid: 18525, t: 0.2470s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ob0-f170.google.com) (209.85.214.170)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 23 Feb 2013 14:19:20 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.214.170 as permitted sender)
Received: by mail-ob0-f170.google.com with SMTP id wc20so1430203obb.29
        for <discussions@password-hashing.net>; Sat, 23 Feb 2013 06:19:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:from:date:message-id:subject:to
         :content-type;
        bh=7IbGwB8ng1BiMxNHqFIN1ZpxZ3+iAoR8rTj0MhY6X/A=;
        b=OJntA/9XtgfY9CmnGHwDxE8ZAjGXHyXVzycHiRJRXs+FVlMOiYLvuy90u07vu9j1+5
         j9+W7TMRB8TEcoeRPhy+96/tqo4ljUQhsq0+o6SJN64iTDMjBqeGsB3S0YJV3PgunEFG
         PMqCGLycFeEyqRq85k5PAloVBrDzhrVHW7w0bkxynNX+gUaxBShbgXDBRSfBx8BzWAbR
         WX/iLEdMoEOpPehQtlPyhHGl0/2+PqOHeJhlhLRHFrecuGRAduFXb2eWo85NA7o4ldBI
         jWMtAPFQaLGXLqegVjZIzXqAsawmjCI07ep0mEIXYg9x1PbWNI3WPoFM4AshtlKSrtWq
         hJzg==
X-Received: by 10.182.54.103 with SMTP id i7mr2166781obp.62.1361629159257;
 Sat, 23 Feb 2013 06:19:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.82.134 with HTTP; Sat, 23 Feb 2013 06:18:59 -0800 (PST)
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Sat, 23 Feb 2013 15:18:59 +0100
Message-ID: <CAGiyFddYd-1xCohY12wvh8x_YqiywWtM85udEic4Dp4yqxxLxw@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Gmane

FYI, public archives of this mailing list will be available on
http://gmane.org/; more details soon.

From dennis.hamilton@acm.org  Sam fÃ©v 23 19:07:41 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 2612 invoked by uid 89); 23 Feb 2013 19:07:41 -0000
Received: by simscan 1.4.0 ppid: 2603, pid: 2605, t: 0.2682s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Feb 2013 19:07:41 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:32843 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1U9KRf-002JzX-7r; Sat, 23 Feb 2013 14:07:39 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Cc: "'Jean-Philippe Aumasson'" <jeanphilippe.aumasson@gmail.com>
References: <CAGiyFddYd-1xCohY12wvh8x_YqiywWtM85udEic4Dp4yqxxLxw@mail.gmail.com>
In-Reply-To: <CAGiyFddYd-1xCohY12wvh8x_YqiywWtM85udEic4Dp4yqxxLxw@mail.gmail.com>
Date: Sat, 23 Feb 2013 11:07:36 -0800
Organization: NuovoDoc
Message-ID: <000301ce11f9$0d21f060$2765d120$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIWnlKlLqn4h4yweKN0NYjp+pfIhZf2nkJg
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Gmane

Is there any direct web access for the archive where the list is hosted?  I
can't find that in the subscription information.

 - Dennis

PS: I'd prefer not to have to use GMane for this list when I don't use it
for anything else.  Ditto for NNTP.  (I'm not objecting to GMane, just
concerned that it be the only archive access.)


-----Original Message-----
From: Jean-Philippe Aumasson [mailto:jeanphilippe.aumasson@gmail.com] 
Sent: Saturday, February 23, 2013 06:19
To: discussions@password-hashing.net
Subject: [PHC] Gmane

FYI, public archives of this mailing list will be available on
http://gmane.org/; more details soon.


From jeanphilippe.aumasson@gmail.com  Lun fÃ©v 25 06:41:09 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 9722 invoked by uid 89); 25 Feb 2013 06:41:09 -0000
Received: by simscan 1.4.0 ppid: 9716, pid: 9718, t: 0.3021s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-ob0-f174.google.com) (209.85.214.174)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 25 Feb 2013 06:41:08 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.214.174 as permitted sender)
Received: by mail-ob0-f174.google.com with SMTP id 16so2504482obc.5
        for <discussions@password-hashing.net>; Sun, 24 Feb 2013 22:41:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=BWMMv76yCD0aN0lEK9GkHEeS+ijnasZvx1833m9KFow=;
        b=EIZAOApuM5/piwavvN1MdW/aFfDb7JvwwqSIfJabK5UEvqUJvg5wDPTpOnaAFAzwnX
         7KJ92ajDdtZ/HMyKQL4RyH082iQ8LjokdkBH2YNBEFKeK/9vdMWwv+w3upXp4tXlkFtX
         TdDgQOVOAh4hEaX/a9imB4/MnPgbTl69KUwI3CpS1eBv7OACibf7QRFHpV25ZgW5QKlP
         WhYQrTI5reoCWsZnylWtCIIRdE4V4UYSHmp4z6O4HSaW2FB4NVUgRotZNOmU++mtb5s+
         DQzM6Uuz6bDsMVbITA6oOopeI66yKptwKnA4oFAb6qA8FTZD6FXfWJ/1m2xwJAaWiFjn
         +H5g==
X-Received: by 10.60.2.164 with SMTP id 4mr6472573oev.85.1361774466954; Sun,
 24 Feb 2013 22:41:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.82.134 with HTTP; Sun, 24 Feb 2013 22:40:46 -0800 (PST)
In-Reply-To: <000301ce11f9$0d21f060$2765d120$@acm.org>
References: <CAGiyFddYd-1xCohY12wvh8x_YqiywWtM85udEic4Dp4yqxxLxw@mail.gmail.com>
 <000301ce11f9$0d21f060$2765d120$@acm.org>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Mon, 25 Feb 2013 07:40:46 +0100
Message-ID: <CAGiyFddHpVnq0b-UvJuu_vEGbckxLkTELt02n+Gw2194LDxHDg@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Gmane

It should appear soon on http://gmane.org/find.php?list=gmane.comp.security

On Sat, Feb 23, 2013 at 8:07 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Is there any direct web access for the archive where the list is hosted?  I
> can't find that in the subscription information.
>
>  - Dennis
>
> PS: I'd prefer not to have to use GMane for this list when I don't use it
> for anything else.  Ditto for NNTP.  (I'm not objecting to GMane, just
> concerned that it be the only archive access.)
>
>
> -----Original Message-----
> From: Jean-Philippe Aumasson [mailto:jeanphilippe.aumasson@gmail.com]
> Sent: Saturday, February 23, 2013 06:19
> To: discussions@password-hashing.net
> Subject: [PHC] Gmane
>
> FYI, public archives of this mailing list will be available on
> http://gmane.org/; more details soon.
>

From jeanphilippe.aumasson@gmail.com  Lun fÃ©v 25 06:47:07 2013 +0000
Return-Path: <jeanphilippe.aumasson@gmail.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 10297 invoked by uid 89); 25 Feb 2013 06:47:07 -0000
Received: by simscan 1.4.0 ppid: 10291, pid: 10293, t: 0.3203s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO mail-oa0-f52.google.com) (209.85.219.52)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 25 Feb 2013 06:47:06 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 209.85.219.52 as permitted sender)
Received: by mail-oa0-f52.google.com with SMTP id k14so2605250oag.11
        for <discussions@password-hashing.net>; Sun, 24 Feb 2013 22:47:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=7sjbnYlT0Bt44YCPinh0c0MwTrVsMX6nttGzOFhvgeA=;
        b=luZCnujHU1FhnnSfClX12JzSOegLysjoYyRwqKLiaCAtKkKL/r5K2J79Ygg0maT//V
         1wjIw493jibeW6DpDnwFMUC1It4sTWDXMuQwV5Q+nJ1ghaCnApjQokFGnn09or2XWVl3
         WICbpgUrn+x//ScNvj5Amorc3g4HqwkSIvgeheuv3nrDtQs5GiscaobdcFoYG4NolyX7
         DXLMP1NRGJWqrXPaSXvkqZT3OE4Nrk5qKpI6jMBPV6K1pNND/yro2XqKyijWHrlDxanH
         9vH2Q+N9B5ThnlBh29QdGoY+cwE6bDFQu7zO0ivE25G+HVAoCRSAgr+B8gtZHO1BmZow
         Mwnw==
X-Received: by 10.182.160.106 with SMTP id xj10mr6455036obb.98.1361774825360;
 Sun, 24 Feb 2013 22:47:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.82.134 with HTTP; Sun, 24 Feb 2013 22:46:45 -0800 (PST)
In-Reply-To: <CAGiyFddHpVnq0b-UvJuu_vEGbckxLkTELt02n+Gw2194LDxHDg@mail.gmail.com>
References: <CAGiyFddYd-1xCohY12wvh8x_YqiywWtM85udEic4Dp4yqxxLxw@mail.gmail.com>
 <000301ce11f9$0d21f060$2765d120$@acm.org> <CAGiyFddHpVnq0b-UvJuu_vEGbckxLkTELt02n+Gw2194LDxHDg@mail.gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Mon, 25 Feb 2013 07:46:45 +0100
Message-ID: <CAGiyFdeqwKt5Yni8iJyp__q6xpK3spmWYV3XfqKn+3J0pjaTMQ@mail.gmail.com>
To: discussions@password-hashing.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHC] Gmane

It's up: http://dir.gmane.org/gmane.comp.security.phc


On Mon, Feb 25, 2013 at 7:40 AM, Jean-Philippe Aumasson
<jeanphilippe.aumasson@gmail.com> wrote:
> It should appear soon on http://gmane.org/find.php?list=gmane.comp.security
>
> On Sat, Feb 23, 2013 at 8:07 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> Is there any direct web access for the archive where the list is hosted?  I
>> can't find that in the subscription information.
>>
>>  - Dennis
>>
>> PS: I'd prefer not to have to use GMane for this list when I don't use it
>> for anything else.  Ditto for NNTP.  (I'm not objecting to GMane, just
>> concerned that it be the only archive access.)
>>
>>
>> -----Original Message-----
>> From: Jean-Philippe Aumasson [mailto:jeanphilippe.aumasson@gmail.com]
>> Sent: Saturday, February 23, 2013 06:19
>> To: discussions@password-hashing.net
>> Subject: [PHC] Gmane
>>
>> FYI, public archives of this mailing list will be available on
>> http://gmane.org/; more details soon.
>>

From Stefan.Lucks@uni-weimar.de  Lun fÃ©v 25 13:34:44 2013 +0000
Return-Path: <Stefan.Lucks@uni-weimar.de>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 26556 invoked by uid 89); 25 Feb 2013 13:34:44 -0000
Received: by simscan 1.4.0 ppid: 26550, pid: 26552, t: 0.3171s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO smtpout-1.uni-weimar.de) (141.54.1.101)
  by qmailtoaster.cryptyx.com with SMTP; 25 Feb 2013 13:34:43 -0000
Received-SPF: none (qmailtoaster.cryptyx.com: domain at uni-weimar.de does not designate permitted sender hosts)
Received: from mailgate.uni-weimar.de (mailgate.uni-weimar.de [141.54.1.3])
	by smtpout-1.uni-weimar.de (8.14.3/8.14.3) with ESMTP id r1PDYLjD029835;
	Mon, 25 Feb 2013 14:34:22 +0100 (CET)
Received: from medsec1.medien.uni-weimar.de (medsec1.medien.uni-weimar.de [141.54.178.228])
	(authenticated bits=0)
	by mailgate.uni-weimar.de (8.13.6/8.13.6) with ESMTP id r1PDYML9006636
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Mon, 25 Feb 2013 14:34:23 +0100 (CET)
Date: Mon, 25 Feb 2013 14:34:15 +0100 (CET)
From: Stefan.Lucks@uni-weimar.de
X-X-Sender: lucks@debian
To: Marsh Ray <maray@microsoft.com>
cc: Jeffrey Goldberg <Jeffrey@goldmark.org>,
        "discussions@password-hashing.net" <discussions@password-hashing.net>
In-Reply-To: <218AE73F98E99C4C98AF7D5166AA798E09036FE5@TK5EX14MBXC286.redmond.corp.microsoft.com>
Message-ID: <alpine.DEB.2.02.1302251434090.15997@debian>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org> <218AE73F98E99C4C98AF7D5166AA798E09036FE5@TK5EX14MBXC286.redmond.corp.microsoft.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-895712113-1361799256=:15997"
X-Virus-Scanned: clamav-milter 0.97.5 at uni-weimar.de
X-Virus-Status: Clean
Subject: RE: [PHC] Any "large verifiers" on the panel?

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323329-895712113-1361799256=:15997
Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8BIT

On Sun, 17 Feb 2013, Marsh Ray wrote:

> While I'm not at liberty to disclose the exact number of password 
> authentications we process, I can say that it really comes down to 
> deciding how much CPU load you're willing to put on the system. Many 
> systems, you specify a password only once to login, and everything after 
> that is done with cookies. So even a very high work factor setting may 
> not represent a noticeable hit on overall server load.

Ouch! So I log in once at your site (*), and soon close the connection. 
But, since one or more cookies are left on my computer, any trojan that 
later takes over my computer will be able to log in at your site, again?

That is really poor security, and a good reason to delete cookies very 
frequently, I think!

> Another anecdote comes from Moxie Marlinspike when he was at Twitter. We 
> were discussing memory-hard password hashing functions, and his response 
> was to the effect of "yeah we would definitely not be able to handle 
> near as many simultaneous auths as we do now if the shared memory bus of 
> the multicore server were constantly saturated."

Indeed, that is an issue for memory-hard password hashing functions.(**)

Actually, the current way of applying a password-hashing function by the 
server is sub-optimal, at least.

Ideally, given a (slow, memory-hard, or whatver) function F and a 
cryptographic hash function H, the password hash should be X := 
H(F(password, salt, ...)). Now, the client could compute Y := F(password, 
salt, ...), and the server would only have to compute H(Y). So the server 
would neither need many CPU cycles, nor much memory -- and still, 
password, cracking would not get any simpler.

The only assumption is that F cannot be so slow or memory-demanding that 
it would not run reasonably fast on the client at hand.

So long

Stefan

P.S.: Sorry for my late response. I had been on a vacation last week.


-------------
(*)  I understand that it is not really "your" site, of course. ;-)
(**) I'd prefer to call them Password Scrambling Functions, but that is
      just me and my taste.

--
------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

--8323329-895712113-1361799256=:15997--

From patrick@patrickmn.com  Lun fÃ©v 25 16:21:42 2013 +0000
Return-Path: <patrick@patrickmn.com>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 13899 invoked by uid 89); 25 Feb 2013 16:21:42 -0000
Received: by simscan 1.4.0 ppid: 13893, pid: 13895, t: 0.3833s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=4.0 tests=HTML_MESSAGE,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO mail-we0-f177.google.com) (74.125.82.177)
  by qmailtoaster.cryptyx.com with (RC4-SHA encrypted) SMTP; 25 Feb 2013 16:21:42 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks.google.com designates 74.125.82.177 as permitted sender)
Received: by mail-we0-f177.google.com with SMTP id d7so2597615wer.8
        for <discussions@password-hashing.net>; Mon, 25 Feb 2013 08:21:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=patrickmylund.com; s=pmylund;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type;
        bh=2Z13gs1l6E3FnXu+IApC6QjT2JrBGIhWzgDdWbQATvk=;
        b=Lad8HRXDQjnDMsjOpi+f8AmFa/E8tS/GTBF3NWzRtPQGwVgL0Dh49IMiPzs/nXDars
         vpPASFQWqSnbPgTTkNag1vgRHDpMz2lFL6NmYEN87GzPmYx/F33Iq4qBwcC44OpIZWfZ
         /j5hMAwS7fqhtGRWhhbBMujCpl4Y7LxOtuNWo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:x-originating-ip:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type:x-gm-message-state;
        bh=2Z13gs1l6E3FnXu+IApC6QjT2JrBGIhWzgDdWbQATvk=;
        b=I9htkl5vXAJD6SogtUMq+HBKMtY1O0Ry2ETgcxc+0cvoFRrFmx+6NX5HtNRRwjWSyh
         3xj1p6vS+gaWsJsA680pDwfg1lfH/4hyVl/bTlxC4o0g4tRuJ0NBgCo4KlAc05No9KDG
         /m70pSyiZWHwObwVDv/v1663pbvqK1gJnel7lF04Ri4JrKCAu4fqTJS37Rv+jaOwtEOX
         U8PSOgocSG58NiXrVV1j1bIQUSHlaPStRcmLrQUChcmH1w65tu2YfGjF8OUhN41U3/6t
         o3FHZOsav0cIpet1qtPO2KjU5TqRiHURqWd2zb0WQSXQb8iFx3bW1On/3VG/JDH7J/mQ
         /5aw==
MIME-Version: 1.0
X-Received: by 10.180.97.166 with SMTP id eb6mr13242316wib.20.1361809301477;
 Mon, 25 Feb 2013 08:21:41 -0800 (PST)
Received: by 10.194.30.166 with HTTP; Mon, 25 Feb 2013 08:21:41 -0800 (PST)
X-Originating-IP: [85.224.171.72]
In-Reply-To: <alpine.DEB.2.02.1302251434090.15997@debian>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org>
	<218AE73F98E99C4C98AF7D5166AA798E09036FE5@TK5EX14MBXC286.redmond.corp.microsoft.com>
	<alpine.DEB.2.02.1302251434090.15997@debian>
Date: Mon, 25 Feb 2013 17:21:41 +0100
Message-ID: <CAEw2jfyVt52wNjUszf=EB0o2KySEjUx0=2MyuyqzcE8XnNkD4g@mail.gmail.com>
From: Patrick Mylund Nielsen <patrick@patrickmylund.com>
To: "discussions@password-hashing.net" <discussions@password-hashing.net>
Cc: Marsh Ray <maray@microsoft.com>, Jeffrey Goldberg <Jeffrey@goldmark.org>
Content-Type: multipart/alternative; boundary=f46d04430664aa996a04d68eefc4
X-Gm-Message-State: ALoCoQkg+C4a0fhZNzkp2mLQY46qnVmDgkmqEs+IxKk/1VjcUWOPdz9vqGcHfHcrSy2VeohOFXt1
Subject: Re: [PHC] Any "large verifiers" on the panel?

--f46d04430664aa996a04d68eefc4
Content-Type: text/plain; charset=UTF-8

On Mon, Feb 25, 2013 at 2:34 PM, <Stefan.Lucks@uni-weimar.de> wrote:

> On Sun, 17 Feb 2013, Marsh Ray wrote:
>
>  While I'm not at liberty to disclose the exact number of password
>> authentications we process, I can say that it really comes down to deciding
>> how much CPU load you're willing to put on the system. Many systems, you
>> specify a password only once to login, and everything after that is done
>> with cookies. So even a very high work factor setting may not represent a
>> noticeable hit on overall server load.
>>
>
> Ouch! So I log in once at your site (*), and soon close the connection.
> But, since one or more cookies are left on my computer, any trojan that
> later takes over my computer will be able to log in at your site, again?
>
> That is really poor security, and a good reason to delete cookies very
> frequently, I think!
>
>
Yeah, but this is not avoidable if you have any kind of session mechanism,
and whether it uses a memory-hard function or not. You can't protect
against somebody taking over a user's machine. You can protect against
somebody taking over a server and trivially gathering all its users'
passwords.


>
>  Another anecdote comes from Moxie Marlinspike when he was at Twitter. We
>> were discussing memory-hard password hashing functions, and his response
>> was to the effect of "yeah we would definitely not be able to handle near
>> as many simultaneous auths as we do now if the shared memory bus of the
>> multicore server were constantly saturated."
>>
>
> Indeed, that is an issue for memory-hard password hashing functions.(**)
>
> Actually, the current way of applying a password-hashing function by the
> server is sub-optimal, at least.
>
> Ideally, given a (slow, memory-hard, or whatver) function F and a
> cryptographic hash function H, the password hash should be X :=
> H(F(password, salt, ...)). Now, the client could compute Y := F(password,
> salt, ...), and the server would only have to compute H(Y). So the server
> would neither need many CPU cycles, nor much memory -- and still, password,
> cracking would not get any simpler.
>
> The only assumption is that F cannot be so slow or memory-demanding that
> it would not run reasonably fast on the client at hand.
>
>
Yes, client would be great, but as it is, most applications (i.e. web
applications) don't have a way to run an efficient KDF client-side.
Hopefully some subset of the functions PHC selects could be added to e.g.
the WebCrypto API.

--f46d04430664aa996a04d68eefc4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>On Mon, Feb 25, 2013 at 2:34 PM,  <span dir=3D"ltr">&=
lt;<a href=3D"mailto:Stefan.Lucks@uni-weimar.de" target=3D"_blank">Stefan.L=
ucks@uni-weimar.de</a>&gt;</span> wrote:<br></div><div class=3D"gmail_extra=
"><div class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div class=3D"im">On Sun, 17 Feb 2013, Marsh Ray wrote:<br=
>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">
While I&#39;m not at liberty to disclose the exact number of password authe=
ntications we process, I can say that it really comes down to deciding how =
much CPU load you&#39;re willing to put on the system. Many systems, you sp=
ecify a password only once to login, and everything after that is done with=
 cookies. So even a very high work factor setting may not represent a notic=
eable hit on overall server load.<br>

</blockquote>
<br></div>
Ouch! So I log in once at your site (*), and soon close the connection. But=
, since one or more cookies are left on my computer, any trojan that later =
takes over my computer will be able to log in at your site, again?<br>

<br>
That is really poor security, and a good reason to delete cookies very freq=
uently, I think!<div class=3D"im"><br></div></blockquote><div><span style=
=3D"font-family:arial,sans-serif;font-size:13px"><br></span></div><div><spa=
n style=3D"font-family:arial,sans-serif;font-size:13px">Yeah, but this is n=
ot avoidable if you have any kind of session mechanism, and whether it uses=
 a memory-hard function or not. You can&#39;t protect against somebody taki=
ng over a user&#39;s machine. You can protect against somebody taking over =
a server and trivially gathering all its users&#39; passwords.</span></div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex"><div class=3D"im">
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">
Another anecdote comes from Moxie Marlinspike when he was at Twitter. We we=
re discussing memory-hard password hashing functions, and his response was =
to the effect of &quot;yeah we would definitely not be able to handle near =
as many simultaneous auths as we do now if the shared memory bus of the mul=
ticore server were constantly saturated.&quot;<br>

</blockquote>
<br></div>
Indeed, that is an issue for memory-hard password hashing functions.(**)<br=
>
<br>
Actually, the current way of applying a password-hashing function by the se=
rver is sub-optimal, at least.<br>
<br>
Ideally, given a (slow, memory-hard, or whatver) function F and a cryptogra=
phic hash function H, the password hash should be X :=3D H(F(password, salt=
, ...)). Now, the client could compute Y :=3D F(password, salt, ...), and t=
he server would only have to compute H(Y). So the server would neither need=
 many CPU cycles, nor much memory -- and still, password, cracking would no=
t get any simpler.<br>

<br>
The only assumption is that F cannot be so slow or memory-demanding that it=
 would not run reasonably fast on the client at hand.<br>
<br></blockquote><div><br></div><div style>Yes, client would be great, but =
as it is, most applications (i.e. web applications) don&#39;t have a way to=
 run an efficient KDF client-side. Hopefully some subset of the functions P=
HC selects could be added to e.g. the WebCrypto API.</div>
<div>=C2=A0</div></div></div></div>

--f46d04430664aa996a04d68eefc4--

From dennis.hamilton@acm.org  Lun fÃ©v 25 18:44:15 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 26090 invoked by uid 89); 25 Feb 2013 18:44:15 -0000
Received: by simscan 1.4.0 ppid: 26084, pid: 26086, t: 0.3319s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Feb 2013 18:44:15 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33351 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1UA323-000Rqn-Fj; Mon, 25 Feb 2013 13:44:11 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>,
	"'Marsh Ray'" <maray@microsoft.com>
Cc: "'Jeffrey Goldberg'" <Jeffrey@goldmark.org>,
	<Stefan.Lucks@uni-weimar.de>
References: <49646EF5-3F83-45A8-89CD-B444143EBDB9@goldmark.org> <218AE73F98E99C4C98AF7D5166AA798E09036FE5@TK5EX14MBXC286.redmond.corp.microsoft.com> <alpine.DEB.2.02.1302251434090.15997@debian>
In-Reply-To: <alpine.DEB.2.02.1302251434090.15997@debian>
Date: Mon, 25 Feb 2013 10:44:11 -0800
Organization: NuovoDoc
Message-ID: <00ab01ce1388$1b9da7c0$52d8f740$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIQ22aJ7A99izwSts3Pg1dVHSmnGAIAUlUeAVTKTwiX6qC0kA==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: RE: [PHC] Any "large verifiers" on the panel?

+1

That's very appealing.  It is not necessary for a client-side F( ) to be =
disclosed in any way to the authenticator so long as the submitted =
binary string (which is what the authentication service retains a hash =
of), a password-independent key, is indistinguishable from random and =
has enough bits to make a meet-in-the-middle attack on it =
computationally infeasible in the event that the authentication =
service's retained form is disclosed.

Furthermore, the client procedure should be such that the same key is =
never reused for a different account/authentication, so even if there is =
a compromise, there is no "password" that can be reused with another =
system.  The chance of collisions with keys for other users should be =
negligible.  (This can be aided by having something locally-unique mixed =
into the server-side transformed value, confounding reuse of disclosed =
server-carried authentication data.

This puts all of the great secrets (such as cryptographically-random =
salts, and any user-memorable password used in the scheme) in the =
custody of the user.  Now the problem is providing an user agent of some =
form that will be used, keeps the generated data secure, and is =
recoverable in the advent of misadventure on the client side.  This is =
far more than a technical problem. =20

I've been noodling about this for a while.
<http://nfoworks.org/notes/2012/08/n120801.htm>=20
   for considerations and principles
<https://www.oasis-open.org/committees/document.php?document_id=3D46218> =

   for a particular instance (all work being "client-side")
   (some small cleanups are about to be posted)
<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-Pr=
otectionKeySafety/trunk/description.html>=20
   for a higher-level discussion that motivates the particular instance

 - Dennis




-----Original Message-----
From: Stefan.Lucks@uni-weimar.de [mailto:Stefan.Lucks@uni-weimar.de]=20
Sent: Monday, February 25, 2013 05:34
To: Marsh Ray
Cc: Jeffrey Goldberg; discussions@password-hashing.net
Subject: RE: [PHC] Any "large verifiers" on the panel?

[ ... ]

Ideally, given a (slow, memory-hard, or whatver) function F and a=20
cryptographic hash function H, the password hash should be X :=3D=20
H(F(password, salt, ...)). Now, the client could compute Y :=3D =
F(password,=20
salt, ...), and the server would only have to compute H(Y). So the =
server=20
would neither need many CPU cycles, nor much memory -- and still,=20
password, cracking would not get any simpler.

The only assumption is that F cannot be so slow or memory-demanding that =

it would not run reasonably fast on the client at hand.

So long

Stefan

P.S.: Sorry for my late response. I had been on a vacation last week.


-------------
(*)  I understand that it is not really "your" site, of course. ;-)
(**) I'd prefer to call them Password Scrambling Functions, but that is
      just me and my taste.

--
------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=C3=A4t Weimar, =
Germany--


From dennis.hamilton@acm.org  Mar fÃ©v 26 19:04:06 2013 +0000
Return-Path: <dennis.hamilton@acm.org>
Mailing-List: contact discussions-help@password-hashing.net; run by ezmlm
Delivered-To: mailing list discussions@password-hashing.net
Received: (qmail 21144 invoked by uid 89); 26 Feb 2013 19:04:06 -0000
Received: by simscan 1.4.0 ppid: 21138, pid: 21140, t: 0.3793s
         scanners: attach: 1.4.0 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	qmailtoaster.cryptyx.com
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,RDNS_NONE autolearn=no
	version=3.2.5
Received: from unknown (HELO a2s42.a2hosting.com) (216.119.133.2)
  by qmailtoaster.cryptyx.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Feb 2013 19:04:06 -0000
Received-SPF: pass (qmailtoaster.cryptyx.com: SPF record at _netblocks3.google.com designates 216.119.133.2 as permitted sender)
Received: from 97-126-118-69.tukw.qwest.net ([97.126.118.69]:33491 helo=Astraendo)
	by a2s42.a2hosting.com with esmtpa (Exim 4.80)
	(envelope-from <dennis.hamilton@acm.org>)
	id 1UAPoq-0007fF-85
	for discussions@password-hashing.net; Tue, 26 Feb 2013 14:04:04 -0500
From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>
To: <discussions@password-hashing.net>
Date: Tue, 26 Feb 2013 11:04:01 -0800
Organization: NuovoDoc
Message-ID: <007c01ce1454$0c4f3910$24edab30$@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4URCt+IMDDsyBnTBGkPySPAePyRw==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com
X-AntiAbuse: Original Domain - password-hashing.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - acm.org
X-Get-Message-Sender-Via: a2s42.a2hosting.com: authenticated_id: himself+orcmid.com/only user confirmed/virtual account not confirmed
Subject: Client Side Token Exploits (was RE: [PHC] Any "large verifiers" on the panel?)

I mentioned that, if cryptographic-quality tokens (derived keys) are =
derived/preserved client side, there needs to be mitigation against =
pass-the-hash and similar exploits if one of them is discovered.  For =
example, it should not work the way that Google "Application Specific =
Password" works/worked:
<https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authen=
tication/>.

If the ASPs were subject to an additional transformation that mixed in =
some invariant with respect to the "application" (specific =
authentication context), the substitution of a key issued for a =
different application of the same user would fail in any reuse for =
something as critical as account administration.  And some actions =
should probably not ever bypass the two-factor auth as a defense against =
compromise of the key and/or the derived value retained by the =
authentication system.

 - Dennis

-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]=20
Sent: Monday, February 25, 2013 10:44
To: discussions@password-hashing.net; 'Marsh Ray'
Cc: 'Jeffrey Goldberg'; Stefan.Lucks@uni-weimar.de
Subject: RE: [PHC] Any "large verifiers" on the panel?

+1

That's very appealing.  It is not necessary for a client-side F( ) to be =
disclosed in any way to the authenticator so long as the submitted =
binary string (which is what the authentication service retains a hash =
of), a password-independent key, is indistinguishable from random and =
has enough bits to make a meet-in-the-middle attack on it =
computationally infeasible in the event that the authentication =
service's retained form is disclosed.

Furthermore, the client procedure should be such that the same key is =
never reused for a different account/authentication, so even if there is =
a compromise, there is no "password" that can be reused with another =
system.  The chance of collisions with keys for other users should be =
negligible.  (This can be aided by having something locally-unique mixed =
into the server-side transformed value, confounding reuse of disclosed =
server-carried authentication data.

This puts all of the great secrets (such as cryptographically-random =
salts, and any user-memorable password used in the scheme) in the =
custody of the user.  Now the problem is providing an user agent of some =
form that will be used, keeps the generated data secure, and is =
recoverable in the advent of misadventure on the client side.  This is =
far more than a technical problem. =20

I've been noodling about this for a while.
<http://nfoworks.org/notes/2012/08/n120801.htm>=20
   for considerations and principles
<https://www.oasis-open.org/committees/document.php?document_id=3D46218> =

   for a particular instance (all work being "client-side")
   (some small cleanups are about to be posted)
<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-Pr=
otectionKeySafety/trunk/description.html>=20
   for a higher-level discussion that motivates the particular instance

 - Dennis




-----Original Message-----
From: Stefan.Lucks@uni-weimar.de [mailto:Stefan.Lucks@uni-weimar.de]=20
Sent: Monday, February 25, 2013 05:34
To: Marsh Ray
Cc: Jeffrey Goldberg; discussions@password-hashing.net
Subject: RE: [PHC] Any "large verifiers" on the panel?

[ ... ]

Ideally, given a (slow, memory-hard, or whatver) function F and a=20
cryptographic hash function H, the password hash should be X :=3D=20
H(F(password, salt, ...)). Now, the client could compute Y :=3D =
F(password,=20
salt, ...), and the server would only have to compute H(Y). So the =
server=20
would neither need many CPU cycles, nor much memory -- and still,=20
password, cracking would not get any simpler.

The only assumption is that F cannot be so slow or memory-demanding that =

it would not run reasonably fast on the client at hand.

So long

Stefan

P.S.: Sorry for my late response. I had been on a vacation last week.


-------------
(*)  I understand that it is not really "your" site, of course. ;-)
(**) I'd prefer to call them Password Scrambling Functions, but that is
      just me and my taste.

--
------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=C3=A4t Weimar, =
Germany--

