Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20121123055141.GA5167@openwall.com>
Date: Fri, 23 Nov 2012 09:51:41 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, john-users@...ts.openwall.com
Subject: New in password hashing: ROM-port-hard functions (ZeroNights 2012 slides)

Hi,

As those who follow me (@solardiz) or @Openwall on Twitter already know,
I made a lightning talk at ZeroNights conference in Moscow on Nov 19-20:

http://2012.zeronights.org/fasttrack#peslyak

The topic was new developments in password hashing - in a sense, this
talk was continuation to my PHDays and YaC talks earlier this year.
This time, I focused on use of standard server hardware - gigabytes of
RAM and SSDs.

Here are the slides:

http://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

Here are the relevant comment threads on reddit:

http://www.reddit.com/r/netsec/duplicates/13mrle/new_developments_in_password_hashing_romporthard/
http://www.reddit.com/r/crypto/comments/13ms4e/new_developments_in_password_hashing_romporthard/

(some comments on r/netsec, but none on r/crypto at this time).

Here is the abstract:

Like it or not, password authentication remains relevant (including when
used as one of several authentication factors), and password hash
database leaks remain a risk.  To mitigate the risk impact,
computationally expensive (bcrypt, PBKDF2) and more recently also
memory-hard (scrypt) password hashing methods have been introduced.
Unfortunately, at relatively low target running time and with the need
to perform multiple authentication attempts concurrently, scrypt's
memory cost ends up being unreasonably low, up to the point where scrypt
may not be better than the much older bcrypt.  In my talk, I propose and
discuss the pros and cons of an alternative approach, where an
arbitrarily large lookup table may be used along with any target running
time and in parallel by multiple concurrent authentication attempts.
With contemporary server hardware, the lookup table may occupy tens of
gigabytes of RAM (using it as a site-specific ROM), which limits
attackers' use of pre-existing hardware (such as botnet nodes), thereby
buying the defender time.  Further development of the approach is in use
of not only RAM, but also SSDs and potentially even a NAS/SAN based on
SSDs.  This achieves goals similar to those of the "blind hashing"
concept, later dubbed "security through obesity", which was proposed
after the LinkedIn password hash leak this summer.

If you have comments, you may post those to the reddit threads or to the
crypt-dev mailing list (join it first), where I brought this idea up a
month ago:

http://www.openwall.com/lists/crypt-dev/2012/10/14/1

You may subscribe to crypt-dev here:

http://www.openwall.com/lists/#subscribe

As the name suggests, the crypt-dev list is for development of concepts
like this.

If you have questions relating to JtR in context of these future hashes,
you may post such questions to john-users, though.

Feedback is welcome.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.