[148686] in cryptography@c2.net mail archive
Re: [Cryptography] Serious paranoia...
daemon@ATHENA.MIT.EDU (Bill Cox)
Tue Dec 24 23:04:05 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAMm+LwgZWK1Qqzk-U=ne+H55c7N2aBFtZiJciRA6VUAmu0yeOQ@mail.gmail.com>
Date: Tue, 24 Dec 2013 20:35:59 -0500
From: Bill Cox <waywardgeek@gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0735776049997288000==
Content-Type: multipart/alternative; boundary=047d7b41ccbc1509bf04ee51e2b0
--047d7b41ccbc1509bf04ee51e2b0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
So, consensus seems to be that this is just paranoia. I prefer that to the
thought that some poor guy actually has to spend time dealing with my dumb
posts to earn a living.
My next question is shills. I often think I'm seeing potential shills, but
it's hard to tell a shill paid to subvert Internet security from the common
dork. For example, on one of my other posts on this forum, "Why don't we
protect our passwords", I agree wholeheartedly with Arnold when today he
wrote:
"So why the lack of attention to KDFs? If one tenth the effort to replace
SHA-2 had been devoted to improving password storage, the benefits to
industry and the public would be far greater than anything we can expect
from SHA-3. While I'm glad the hear that there is at last a
password-hashing competition (password-hashing.net), scrypt is available
now. As long as an algorithm identifier is included in a password database,
it's easy to substitute a better algorithm when it comes along. And is
there any cryptographer out there who knows the algorithm and believes that
scrypt could be weaker than PBKDF2? Seriously?"
In response, Kriszti=E1n Pint=E9r wrote:
"> to substitute a better algorithm when it comes along. And is there
> any cryptographer out there who knows the algorithm and believes
> that scrypt could be weaker than PBKDF2? Seriously?
yep, plenty. for example all that knows the principle of not using
branching/indexing on secret. pbkdf2 does not do that, and therefore
safe against cache timing attacks. the same can not be said about
either bcrypt, which uses secret based s-boxes, but especially not
scrypt, which uses secret based memory access wildly.
one could also ask how safe it is to sprinkle the secret all over the
RAM, increasing the risk of getting swapped to disc, or being
recoverable by cold boot attack.
there is a lot to fear about scrypt. don't forget, we live in the era
of side channel attacks. the safety of scrypt against direct attacks
does not grant much in the real world."
I don't mean to call people names. I'm only using Kriszti=E1n's post as a
recent example, of which there are many. Kriszti=E1n Pint=E9r clearly does=
n't
want to switch to scrypt, which AFAIK any non-dork can tell improves
security against common real attacks, which far outweighs Kriszti=E1n's
concerns about side-channel attacks, and OMG, what was that crazy rant
about sprinkling secret data all over RAM? It's just the output of a
respected stream cipher! From where I'm sitting, Kriszti=E1n's position is
so lame, it makes me think he may be getting paid to spread FUD.
So, is Kriszti=E1n a dork or a shill? Do we live in a world where we can't
chat intelligently about security because of NSA shills, or is the world
really full of that many dorks?
--047d7b41ccbc1509bf04ee51e2b0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">So, consensus seems to be that this is just paranoia. =A0I=
prefer that to the thought that some poor guy actually has to spend time d=
ealing with my dumb posts to earn a living.<div><br></div><div>My next ques=
tion is shills. =A0I often think I'm seeing potential shills, but it=
9;s hard to tell a shill paid to subvert Internet security from the common =
dork. =A0For example, on one of my other posts on this forum, "Why don=
't we protect our passwords", I agree wholeheartedly with Arnold w=
hen today he wrote:</div>
<div><br></div><div>"<span style=3D"font-family:arial,sans-serif;font-=
size:19.200000762939453px">So why the lack of attention to KDFs? If one ten=
th the effort to replace SHA-2 had been devoted to improving password stora=
ge, the benefits to industry and the public would be far greater than anyth=
ing we can expect from SHA-3. =A0While I'm glad the hear that there is =
at last a password-hashing competition (</span><a href=3D"http://password-h=
ashing.net/" target=3D"_blank" style=3D"font-family:arial,sans-serif;font-s=
ize:19.200000762939453px">password-hashing.net</a><span style=3D"font-famil=
y:arial,sans-serif;font-size:19.200000762939453px">), scrypt is available n=
ow. As long as an algorithm identifier is included in a password database, =
it's easy to substitute a better algorithm when it comes along. And is =
there any cryptographer out there who knows the algorithm and believes that=
scrypt could be weaker than PBKDF2? Seriously?"</span></div>
<div><span style=3D"font-family:arial,sans-serif;font-size:19.2000007629394=
53px"><br></span></div><div>In response,=A0Kriszti=E1n Pint=E9r wrote:</div=
><div><br></div><div>"<span style=3D"color:rgb(80,0,80);font-family:ar=
ial,sans-serif;font-size:19.200000762939453px">> to substitute a better =
algorithm when it comes along. And is there</span></div>
<div class=3D"im" style=3D"font-family:arial,sans-serif;font-size:19.200000=
762939453px">> any cryptographer out there who knows the algorithm and b=
elieves<br>> that scrypt could be weaker than PBKDF2? Seriously?<br><br>
</div><span style=3D"font-family:arial,sans-serif;font-size:19.200000762939=
453px">yep, plenty. for example all that knows the principle of not using</=
span><br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453=
px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>branching/indexing on secret. pbkdf2 does not do that, and therefore</span=
><br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>safe against cache timing attacks. the same can not be said about</span><b=
r style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"><sp=
an style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">ei=
ther bcrypt, which uses secret based s-boxes, but especially not</span><br =
style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>scrypt, which uses secret based memory access wildly.</span><br style=3D"f=
ont-family:arial,sans-serif;font-size:19.200000762939453px"><br style=3D"fo=
nt-family:arial,sans-serif;font-size:19.200000762939453px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>one could also ask how safe it is to sprinkle the secret all over the</spa=
n><br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>RAM, increasing the risk of getting swapped to disc, or being</span><br st=
yle=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"><span s=
tyle=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">recove=
rable by cold boot attack.</span><br style=3D"font-family:arial,sans-serif;=
font-size:19.200000762939453px">
<br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"><=
span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">=
there is a lot to fear about scrypt. don't forget, we live in the era</=
span><br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453=
px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>of side channel attacks. the safety of scrypt against direct attacks</span=
><br style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">
<span style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px"=
>does not grant much in the real world."</span><div><span style=3D"fon=
t-family:arial,sans-serif;font-size:19.200000762939453px"><br></span></div>
<div><font face=3D"arial, sans-serif"><span style=3D"font-size:19.200000762=
939453px">I don't mean to call people names. =A0I'm only using=A0</=
span></font><span style=3D"font-family:arial,sans-serif;font-size:19.200000=
762939453px">Kriszti=E1n's post as a recent example, of which there are=
many. =A0</span><font face=3D"arial, sans-serif"><span style=3D"font-size:=
19.200000762939453px">Kriszti=E1n Pint=E9r clearly doesn't want to swit=
ch to scrypt, which AFAIK any non-dork can tell improves security against c=
ommon real attacks, which far outweighs=A0Kriszti=E1n's concerns about =
side-channel attacks, and OMG, what was that crazy rant about=A0sprinkling=
=A0secret data all over RAM? =A0It's just the=A0output of a respected s=
tream cipher!=A0 </span></font><span style=3D"font-family:arial,sans-serif;=
font-size:19.200000762939453px">From where I'm sitting,=A0</span><span =
style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">Krisz=
ti=E1n's position is so lame, it makes me think he may be getting paid =
to spread FUD.</span></div>
<div><font face=3D"arial, sans-serif"><span style=3D"font-size:19.200000762=
939453px"><br></span></font></div><div><font face=3D"arial, sans-serif"><sp=
an style=3D"font-size:19.200000762939453px">So, is=A0</span></font><span st=
yle=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">Kriszti=
=E1n</span><span style=3D"font-family:arial,sans-serif;font-size:19.2000007=
62939453px">=A0a dork or a shill? =A0Do we live in a world where we can'=
;t chat intelligently about security because of NSA shills, or is the world=
really full of that many dorks?</span><br>
</div></div>
--047d7b41ccbc1509bf04ee51e2b0--
--===============0735776049997288000==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0735776049997288000==--
