[Cryptography] Serious paranoia...

Bill Cox waywardgeek at gmail.com
Tue Dec 24 20:35:59 EST 2013


So, consensus seems to be that this is just paranoia.  I prefer that to the
thought that some poor guy actually has to spend time dealing with my dumb
posts to earn a living.

My next question is shills.  I often think I'm seeing potential shills, but
it's hard to tell a shill paid to subvert Internet security from the common
dork.  For example, on one of my other posts on this forum, "Why don't we
protect our passwords", I agree wholeheartedly with Arnold when today he
wrote:

"So why the lack of attention to KDFs? If one tenth the effort to replace
SHA-2 had been devoted to improving password storage, the benefits to
industry and the public would be far greater than anything we can expect
from SHA-3.  While I'm glad the hear that there is at last a
password-hashing competition (password-hashing.net), scrypt is available
now. As long as an algorithm identifier is included in a password database,
it's easy to substitute a better algorithm when it comes along. And is
there any cryptographer out there who knows the algorithm and believes that
scrypt could be weaker than PBKDF2? Seriously?"

In response, Krisztián Pintér wrote:

"> to substitute a better algorithm when it comes along. And is there
> any cryptographer out there who knows the algorithm and believes
> that scrypt could be weaker than PBKDF2? Seriously?

yep, plenty. for example all that knows the principle of not using
branching/indexing on secret. pbkdf2 does not do that, and therefore
safe against cache timing attacks. the same can not be said about
either bcrypt, which uses secret based s-boxes, but especially not
scrypt, which uses secret based memory access wildly.

one could also ask how safe it is to sprinkle the secret all over the
RAM, increasing the risk of getting swapped to disc, or being
recoverable by cold boot attack.

there is a lot to fear about scrypt. don't forget, we live in the era
of side channel attacks. the safety of scrypt against direct attacks
does not grant much in the real world."

I don't mean to call people names.  I'm only using Krisztián's post as a
recent example, of which there are many.  Krisztián Pintér clearly doesn't
want to switch to scrypt, which AFAIK any non-dork can tell improves
security against common real attacks, which far outweighs Krisztián's
concerns about side-channel attacks, and OMG, what was that crazy rant
about sprinkling secret data all over RAM?  It's just the output of a
respected stream cipher!  From where I'm sitting, Krisztián's position is
so lame, it makes me think he may be getting paid to spread FUD.

So, is Krisztián a dork or a shill?  Do we live in a world where we can't
chat intelligently about security because of NSA shills, or is the world
really full of that many dorks?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131224/0a4aa43a/attachment-0001.html>


More information about the cryptography mailing list