[Cryptography] Why don't we protect passwords properly?

Bill Frantz frantz at pwpconsult.com
Tue Dec 24 23:25:03 EST 2013


On 12/25/13 at 4:37 PM, pinterkr at gmail.com (Krisztián Pintér) wrote:

>attackers will use whatever they can. and i'm betting a thousand bucks
>on filling the RAM with sensitive data will be an attack vector sooner
>or later.

Possibly correct, but only if it is a cheaper attack than 
others. There are so many cheaper attacks that this attack is 
only a long range consideration. It's an interesting intelectual 
challenge, but not yet of practical importance.


>>The cold boot attack goes away if you leave your device off
>
>it is not satisfactory to list the situations in which an attack is
>not feasible. we want to know when it is.

OK, when is the cold boot attack a practical attack?


>>Swap encryption is the sweet spot of cryptography
>
>swap encryption is nice, but attacks against memory are not limited to
>that...

The original question was attacks against swap images on disk. 
Encryption prevents that attack and is available on many systems 
by checking an option.


>RAM is shared on HW level between CPUs, very hard to protect on
>a VM, data travels on the bus which emits EM, etc...

In general, protecting one VM from another VM running on the 
same hardware is a hard problem. As with many things in life, if 
it hurts, don't do it.

Probably the best approach is to provide virtual clocks to 
prevent timing attacks. Tough luck for timestamping and random 
number generation though. Probably you can allow timestamping 
accurate to the second if you don't use the secret too 
frequently. Random numbers can be provided through virtual 
hardware random number generators, but addressing all the 
justified paranoia in this area will require examining the whole 
system from hardware to final use.

EM attacks can be interesting practical attacks, but Tempest 
packaging prevents them. While we are worrying about this style 
of attack, lets consider the nanotech quadcopter the size of a 
dust mote which can look over our shoulders and monitor our key 
strokes. That device is probably not too many years in the future.


>>These attacks pale into insignificance compared with the know
>>attacks on passwords.
>
>i would agree that these are less important issues than password
>stretching...

Password stretching can only limit certain attacks. It does 
nothing to limit attacks involving compromise of a site's 
password file and the ensuing damage. The tendency of people to 
use the same or similar passwords on multiple sites makes this 
attack quite effective.

Working to eliminate passwords entirely seems to me to be a much 
better approach. We could use client side TLS certs today, but 
there are probably better solutions.

As an aside, and if you decide to respond to this paragraph, 
please fork a new subject: Does there need to be a revenue model 
which can support a business to get wide adoption for a security 
technology? The revenue for CA certs certainly has encouraged a 
number of businesses to support the CA model for TLS security. 
This support is evidenced by standards body participation and PR flacks.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        | Re: Computer reliability, performance, and security:
408-356-8506       | The guy who *is* wearing a parachute is 
*not* the
www.pwpconsult.com | first to reach the ground.  - Terence Kelly



More information about the cryptography mailing list