Re: compare-by-hash (was Re: sharing /etc/passwd)

From: Colin Percival (cperciva_at_wadham.ox.ac.uk)
Date: 09/27/04

  • Next message: Mark Andrews: "Re: compare-by-hash (was Re: sharing /etc/passwd)"
    Date: Mon, 27 Sep 2004 07:13:56 -0700
    To: Giorgos Keramidas <keramida@freebsd.org>
    
    

    Giorgos Keramidas wrote:
    > Increasing the number of bits the hash key uses will decrease the
    > possibility of a collision but never eliminate it entirely, AFAICT.

    How small does a chance of error need to be before you're willing to
    ignore it?

    > What I pointed out was that when a non-zero possibility of two data
    > blocks comparing as equal (even though they are no) exists, the method
    > in question should not be used for password data or other sensitive bits
    > of information. A larger hash key will never yield a possibility of
    > zero, so it doesn't mean that you can sleep untroubled at night while
    > the rsync server overwrites /etc/*pwd.db files periodically.

    If an appropriately strong hash is used (eg, SHA1), then the probability
    of obtaining an incorrect /etc/*pwd.db with a correct hash is much
    smaller than the probability of a random incorrect password being
    accepted. Remember, passwords are stored by their MD5 hashes, so a
    random password has a 2^(-128) chance of working.

    If, on the other hand, you're concerned about accidentally locking
    yourself out of the server as a result of an undetected mangling of the
    password database... you should be more worried about the server, and
    all your backups, being simultaneously hit by lightning. :-)

    Colin Percival
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Mark Andrews: "Re: compare-by-hash (was Re: sharing /etc/passwd)"

    Relevant Pages

    • Re: help with regex
      ... 1- start date, 2- server name, 3- end date that match start server ... push @server_start_name, $5; ... first-level hash key is the name of the server and the value is a hash ... If you do stick with a regex, use the x modifier and split ...
      (comp.lang.perl.misc)
    • Re: Viewstate Errors
      ... Even if you set ViewState to false your page will store page hash key. ... you transfer request to other page. ... as server that create page. ...
      (microsoft.public.dotnet.framework.aspnet)