[Cryptography] Why don't we protect passwords properly?

[Krisztián Pintér]

Arnold Reinhold (at Tuesday, December 24, 2013, 6:21:29 AM):

> to substitute a better algorithm when it comes along. And is there
> any cryptographer out there who knows the algorithm and believes
> that scrypt could be weaker than PBKDF2? Seriously?

yep, plenty. for example all that knows the principle of not using
branching/indexing on secret. pbkdf2 does not do that, and therefore
safe against cache timing attacks. the same can not be said about
either bcrypt, which uses secret based s-boxes, but especially not
scrypt, which uses secret based memory access wildly.

one could also ask how safe it is to sprinkle the secret all over the
RAM, increasing the risk of getting swapped to disc, or being
recoverable by cold boot attack.

there is a lot to fear about scrypt. don't forget, we live in the era
of side channel attacks. the safety of scrypt against direct attacks
does not grant much in the real world.

to be totally safe, we would need a KDF that obeys all coding
standards, runs in constant time, executes the exact same operations
every time for every password, avoids using secret for indexing or
branching, does not write secret to physical RAM, preferably keeps any
secrets in the CPU, yet uses a large chunk of memory in a way that can
not be optimized away.

i don't think we have any other option than capturing djb, and not
letting him out of the basement until he comes up with a solution.