Mention garbage-collector attacks

samuel-lucas6 · Nov 16, 2024 · 66c883c · 66c883c
1 parent d04bf44
commit 66c883c
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/draft-lucas-bkdf.md b/draft-lucas-bkdf.md
@@ -71,6 +71,29 @@ informative:
         org: The OpenBSD Project
     date: 1999
 
+  FLLW15:
+    title: "Overview of the Candidates for the Password Hashing Competition"
+    rc: "Technology and Practice of Passwords. PASSWORDS 2014. Lecture Notes in Computer Science(), vol 9393, pp. 3–18"
+    target: https://doi.org/10.1007/978-3-319-24192-0_1
+    author:
+      -
+        ins: C. Forler
+        name: Christian Forler
+        org: Bauhaus-Universität Weimar
+      -
+        ins: E. List
+        name: Eik List
+        org: Bauhaus-Universität Weimar
+      -
+        ins: S. Lucks
+        name: Stefan Lucks
+        org: Bauhaus-Universität Weimar
+      -
+        ins: J. Wenzel
+        name: Jakob Wenzel
+        org: Bauhaus-Universität Weimar
+    date: 2015
+
   BCS16:
     title: "Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks"
     rc: "Cryptology ePrint Archive, Paper 2016/027"
@@ -487,6 +510,8 @@ Balloon has been proven sequentially memory-hard in the random-oracle model, mak
 
 Balloon also uses a password-independent memory access pattern to prevent side-channel attacks leaking information about the password {{BCS16}}. This property is especially relevant in cloud computing environments where multiple users can share the same physical machine. However, no function that uses a password-independent memory access pattern can be optimally memory-hard in the parallel setting.
 
+BKDF is not vulnerable to garbage-collector attacks since the internal state is overwritten {{FLLW15}}. However, it can be vulnerable to weak garbage-collector attacks because the key derived from the password is kept in memory throughout the algorithm. Even if you cache the hash function state after processing the key and zero the key, this attack is still possible. The only prevention is to use a pepper and zero that from memory immediately after processing it. With that said, the password is likely to remain in memory anyway, rendering this attack unnecessary.
+
 The approach to parallelism is subject to a tradeoff, namely an adversary can do sequential calls to the BalloonCore function to avoid increasing the memory usage, keeping the time-area product constant. This is deemed acceptable because parallelism is often not used in practice and avoiding this would complicate the design.
 
 Unlike password hashing algorithms such as bcrypt {{PM99}}, which perform many small and fast pseudorandom reads, BKDF is not cache-hard. Whilst there are no known publications on cache-hardness at the time of writing, it is reported to provide better GPU resistance than memory-hardness for shorter delays (e.g. < 1000 ms). This is because such algorithms force GPUs to use less memory bandwidth because of their large bus width (typically 256 to 1024 bits). Assuming GPUs are primarily used for password cracking, this makes cache-hard algorithms ideal for authentication scenarios especially.