[Cryptography] Serious paranoia...

Theodore Ts'o tytso at mit.edu
Thu Dec 26 19:02:51 EST 2013 

On Thu, Dec 26, 2013 at 09:14:34PM +0100, Krisztián Pintér wrote:
> obviously, these are very contrived situations. but far from being
> impossible. the question is not whether it is an issue or not. the
> question is, how serious the threat is and what can we do about it. if
> the solution is costly, we might accept the threat as a trade off, for
> the time being. but it does not make the issue nonexistent. we can
> still aspire to find a solution that does not have this attack angle.
> we should aspire.
> 
> and that was my point. i would like to see an algorithm that is memory
> hard, but the data written to the memory is scrambled by some random
> parameter. i can design such an algorithm, it is not that hard. the
> problem is, we need to do that effectively and in a way that does not
> grant advantage to the bad guys.

I think the creation of such an algorithm would make for a wonderful
academic publication, and I would think it meets the "minimal
publishable unit" that academic publishing venues and tenure boards
care about.  So certainly, having an algorithm which has certain
superior characteristics, such as being hard to brute force back to
text password even in the face of hardware acceleration, protection
from cache attacks and swap attacks, etc., would certainly be better
than a KDF that doesn't have these properties.

There is a separate question, though, which is whether this threat is
significant enough that it is changing the current deployed base to
use it.  But I don't think this is a discussion that can be made
generally, which is how the discussion has been running on the list as
of late --- for example, the subject line "Why don't we protect
passwords properly?"

I suspct the discussion would be more productive if it were more
tightly focused --- for example, changing the string-to-key function
used by ssh to protect its private key file, versus changing the
string-to-key function for PPP CHAP authentication, etc.  The cost and
the benefits for making this change are quite different.

But first, if you think it's easy, sure, propose a new KDF that you
think is superior.  Get it peer reviewed, and you'll probably even get
a paper out of it.  The next question is whether people will consider
it worthwhile to transition to it, given all of the other threats they
need to worry about, and how much time and energy have to devote to
this threat (as compared to other threats or other features that they
would like to implement).

Regards,

						- Ted

P.S.  I was re-reading one of Jerry Leichter's recent messages:

http://www.metzdowd.com/pipermail/cryptography/2013-December/019247.html

And I think this really strikes at the heart of the problem.  His
concluding paragraph:

    So I expect to see many more discussions about security wandering, as
    we're no longer certain about what security means.  Yes, worthwhile
    security debates start with a definition of the attacks to be defended
    against; or, even better, of the risks and costs associated with
    different attacks and defenses.  But given the huge spectrum of
    entirely different classes of risks, and the very different
    likelihoods and costs different people will assign to them ... to
    accept agreement on what are, at base, the *goals* is increasingly
    folly.

More information about the cryptography mailing list