On Wed, Oct 25, 2017 at 07:36:54PM +0200, Björn Haase wrote:
So to better understand your point, if for example the hash of the
password has n bits of effective security, say 128, then we would
leak one bit of the hash (not the password itself), correct? Put
differently, how could this information practically be exploited? Is
it a realistic attack today or e.g. a potential weakness that could be
attacked using a quantum computer and a nuclear power plant in e.g. 20
years from now?
As Mike has pointed out, the attack is completely realistic if you
are either incorporating a session-specific random value or a salt.
You will be leaking one bit per sniffed login. After listening to
5-20 logins the attacker will be able to mount an offline attack.
I'd like to understand this attack better (the description above is
pretty surprising to me), is there a canonical treatment or a phrase I
should look up in the literature?
-andy
_______________________________________________
Curves mailing list
Curves@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/curves
