Re: Hashed password secure?
From: Joe C (jkc8289_at_bellsouth.net)
Date: 06/30/04
- Next message: Mok-Kong Shen: "Re: Manual hashing"
- Previous message: Mok-Kong Shen: "Re: How secure is SSL emails?"
- In reply to: Matthijs Hebly: "Re: Hashed password secure?"
- Next in thread: Bill Unruh: "Re: Hashed password secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jun 2004 01:02:44 -0400
"Matthijs Hebly" <heeb@iname.com> wrote in message
news:bimEc.26162$HY4.23980@amsnews03.chello.com...
> Tom St Denis wrote:
> > Question remains: Why are you inventing your own crypto? If it's for
fun
> > you realize that you shouldn't use it in the field right?
> Yes.
>
> > I mean as responsible adults we have to take best measures [even if they
turn out to
> > be wrong later on].
> I admit to be an absolute crypto-newbie, but that doesn't mean I'm
> stupid, and it doesn't mean I can't have interesting ideas. Of course, I
> *can* have stupid ideas like the rest of us... That's the reason why I'm
> posting here and asking your professional opinions. I want to
> understand, learn, know. Like the rest of us.
> I was investigating the topic of "salt" some time ago, doing research on
> the internet, as I think it is important for the application I'm
> writing. I noticed that the salt is always stored, and I started
> wondering: why is this? Why store the salt, if you can actually use a
> *non-persistent* salt to your advantage? Namely in making it very much
> harder for an attacker to do a succesful dictionary attack.
> Maybe my idea is rediculous. But until now, I'm not convinced that it
> is. I think is could be, in some cases, a useful idea. Plz convince me
> otherwise!
>
> Thanx, to all of you here,
>
> Matthijs.
>
> P.S. I'm in europe, where it is *very* late, so: good night to you all :-)
G'd night, Mathis...
I, too, have written some crypto software that no one will ever be
interested in ;-) I've basically tried to learn the
vulnerabilities/problems that arise and circumvent them, without really
learning that much about other methods that have been used to defeat them.
I'm a moron by the sci.crypt standards, I'm sure... What I do is...
seed a PRNG with a hash of the (password + salt) + hash of the file to be
encrypted. Then I step the PRNG forward for ~1-second on the local machine,
before using the PRNG output to encrypt the file. I then prepend the
encrypted file with the unencrypted salt + unencrypted number of iterations
that were used to seed the PRNG + an encrypted (using a second PRNG seeded
with the hash of (pass + salt) and encrypted file hash. The reciever then
uses the hash of (password + salt) and the hash of the encrypted portion of
the file to seed a PRNG used to unencrypt the encrypted hash sent with the
file. He then seeds a second PRNG with the hash of (password + salt) and
hash of unencrypted file, which he steps forward the number of iterations
that required ~ 1 second on the encrypting platform, and uses the output of
the second PRNG to unencrypt the original file.
My rational/logic is that a pre-attack cannot be mounted for any given
message/password pair...and that each brute-force attack try will take ~1
second equivalent computation for the encrypting machine...which should
yield ordinary-length passwords sufficient iff the attacking computer has
similar (order of magnitude) computing capabilities when compared to the
encrypting machine.
Your method is to me an interesting case...where you force the unencrypting
computer to perform a brute-force of a particular difficulty. I see one
potential problem with your method as I understand it...you have
low-resolution control...the thing you are brute-forcing will be 0, 1, 2 3,
4, 5, 6, 7, 8...etc bytes long...whereas I have better resolution with the
number of iterations I choose.
Cheers
- Next message: Mok-Kong Shen: "Re: Manual hashing"
- Previous message: Mok-Kong Shen: "Re: How secure is SSL emails?"
- In reply to: Matthijs Hebly: "Re: Hashed password secure?"
- Next in thread: Bill Unruh: "Re: Hashed password secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
