[Cryptography] A modification to scrypt to reduce side channel risk
Bill Cox
waywardgeek at gmail.com
Fri Dec 27 09:59:04 EST 2013
D'oh! The data written to memory MUST rely on the password! This was a
good idea (the topic of this thread), but we require both the salt and
password to initialize memory.
The reason is simple, and now I feel dumb (happens a lot I'm afraid).
After initializing memory just based on salt, we take a random walk
through memory just based on salt to pick data to hash. An attacker just
feeds the resulting hash stream to a million super-cheap password guessers,
none of which need significant memory.
Maybe this is what you guys meant when you said step 3 can be done in
parallel.
In any case, we must initialize memory with the intermediate derived key,
but we don't have to rely on the password to generate the random walk. We
can do that with just the salt, and I think that results in better security
against timing attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131227/23992c12/attachment.html>
More information about the cryptography
mailing list