Re: [Full-disclosure] Re: choice-point screw-up and secure hashes

Valdis.Kletnieks_at_vt.edu
Date: 03/19/05

  • Next message: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"
    To: Atom Smasher <atom@smasher.org>
    Date: Sat, 19 Mar 2005 17:38:09 -0500
    
    
    
    

    On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said:

    > tell ya what... here's my SSN hashed with a salt:
    > =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
    >
    > as soon as you recover my SSN, just let me know.

    Tell you what - give me the salt and the hash algorithm, and it will be
    quick work indeed.

    Remember that the company probably needs an *invertible* function as they need to
    be able to access the original value, so the trick of "hash the SSN and see if
    you get the same to compare for equality" isn't usable. You can use a one-way
    function if the only question is "Is 109-00-4368 the SSN for Customer XYZ?". If
    you need to be able to answer "What is Customer XYZ's SSN?" you need an invertible
    function. And if you ever do a database JOIN based on SSN, you need the SSN.

    And the sad fact is that if the company's servers are compromised sufficiently
    to recover the hashed SSN, they're almost certainly compromised sufficiently to
    allow the theft of the software that handles the forward and reverse hashing.
    So considering the salt and the algorithm secure if the hash has been compromised
    is probably a bad idea..

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



  • Next message: Jason Coombs: "Re: [Full-disclosure] Re: choice-point screw-up and secure hashes"

    Relevant Pages

    • [Full-disclosure] Re: choice-point screw-up and secure hashes
      ... > as soon as you recover my SSN, ... Give us access to your hashing machine, or at least hash the following SSN for us using the salt that you've selected for yours and your SSN will be on full-disclosure in the not-too-distant future. ... Your implication that the person who intercepts a hard drive filled with “secure hashes” will not also have some reference point for decoding the hashes is just wrong. ... as soon as you recover my SSN, ...
      (Full-Disclosure)
    • Re: encryption of social security number
      ... Thus exhaustive search can be used to recover the patient's identity ... (his/her SSN) ... probably isn't good enough for sensitive data. ...
      (sci.crypt)
    • Re: Opinions on approach, please...
      ... Having a customer row shouldn't stop ... SSN CHARNOT NULL ... AS ROW CHANGE TIMESTAMP ... I accidentally forgot to show ROWID as the row finder. ...
      (comp.lang.cobol)
    • VBA: Pull Record Into UserForm
      ... I have a worksheet full of Customer Information. ... I want to pull the customers LName, FName, SSN, and info into my form ... Dim LName As String ...
      (microsoft.public.excel.programming)
    • Re: Search encrypted column in SQL 2005http://msdn.microsoft.com/w
      ... We are required to encrypt SSN and customer credit card number. ... The alternative is to use application-specific keys like customer numbers. ...
      (microsoft.public.sqlserver.security)