Re: compare-by-hash (was Re: sharing /etc/passwd)

From: Alex de Kruijff (freebsd_at_akruijff.dds.nl)
Date: 10/05/04

  • Next message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons" 
    Date: Tue, 05 Oct 2004 08:29:19 +0200
To: Giorgos Keramidas <keramida@linux.gr>

    On Tue, Sep 28, 2004 at 12:05:51PM +0300, Giorgos Keramidas wrote:
    > On 2004-09-27 07:13, Colin Percival <cperciva@wadham.ox.ac.uk> wrote:
    > > Giorgos Keramidas wrote:
    > > >Increasing the number of bits the hash key uses will decrease the
    > > >possibility of a collision but never eliminate it entirely, AFAICT.
    > >
    > > How small does a chance of error need to be before you're willing to
    > > ignore it?
    >
    > That's a good question. I'm not sure I have a definitive answer, but
    > the possibility of a collision is indeed scary. Especially since I
    > haven't seen a study of the real probability of a collition is, given
    > the fact that passwords aren't (normally) random binary data but a
    > much smaller subset of the universe being hashed.

    I could be wrong but arn't hash values more random dan anything a user
    can in put.

    > > If an appropriately strong hash is used (eg, SHA1), then the probability
    > > of obtaining an incorrect /etc/*pwd.db with a correct hash is much
    > > smaller than the probability of a random incorrect password being
    > > accepted. Remember, passwords are stored by their MD5 hashes, so a
    > > random password has a 2^(-128) chance of working.
    >
    > I was probably being unreasonably paranoid about 'modified' passwords
    > that don't get detected as modified, but what you describe is also
    > true.

    You could simply scp these few files afther the rsync. There's files
    aren't that large. 

    -- 
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons"

    Relevant Pages

    • Re: compare-by-hash (was Re: sharing /etc/passwd)
      ... >>possibility of a collision but never eliminate it entirely, ... > How small does a chance of error need to be before you're willing to ... haven't seen a study of the real probability of a collition is, ... Remember, passwords are stored by their MD5 hashes, so a ...
      (FreeBSD-Security)
    • Re: FireFox
      ... install stuff I do not want, have told it not to do it, and then does ... passwords. ... Same as your last question, it does, but you didn't give it a chance. ...
      (misc.news.internet.discuss)
    • Re: OT - busy Wi-fi light
      ... not just having passwords on the devices you're using. ... and it's not overly expensive kit either - hell, half of it can be home- ... WPA encryption is pretty damned secure if your system supports it. ... from quarter of a mile away would have a better chance, ...
      (uk.media.tv.misc)
    • Re: How to deal with reports of software errors
      ... Even assuming that anonymity is feasible, ... you are blinded by the chance of huge publicity, ... As for the passwords and keys, ... there is always the question of rubber hose cryptoanalysis. ...
      (alt.sysadmin.recovery)
    • Re: Word Doc. password
      ... Short of hypnosis there is little chance of accessing these documents. ... Web site www.gmayor.com Word MVP web site www.mvps.org/word ... Mona wrote:> Hi I lost my notebook with passwords for words doc. ...
      (microsoft.public.word.docmanagement)