Hosting Provided By

Re: SHA-1 vs. triple-DES for password encryption?

From: Ben Laurie <ben(at)algroup.co.uk>
Date: Tue Nov 12 2002 - 06:52:56 EST

>>> Additionally, even if there were no salt, then the attacker
>>> would have to see O(2^32) known password-hash pairs just to find a
>>> single collision.  That isn't a real-world scenario.
>>
>>
>> Surely that depends on the application?

>
>
> Assuming a 64-bit hash from a sound algorithm and a birthday attack, why
> would it depend on the application?

O(2^32) is not unattainable, even my debugging (hence, not using assembler optimisations) version of OpenSSL can do 60k SHA-1s a second, which is less than a day for 2^32 hashes...

So, if its worth spending a day finding a collision, its perfectly real-world - and yeah, a smart cookie would use iteration to make that harder, but even so, it seems likely to stay in reach for a determined attacker - hence the dependency on the application - it has to be worth the effort of finding a collision (which, as already noted, is unlikely when the collision is in passwords, but, since we still don't know what the passwords are for, not to be ruled out).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       
http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Received on Tue Nov 12 11:18:10 2002

This message: [ Message body ]
Next message: John Viega: "Re: SHA-1 vs. triple-DES for password encryption?"
Previous message: John Viega: "Re: SHA-1 vs. triple-DES for password encryption?"
In reply to: John Viega: "Re: SHA-1 vs. triple-DES for password encryption?"
Next in thread: John Viega: "Re: SHA-1 vs. triple-DES for password encryption?"
Reply: John Viega: "Re: SHA-1 vs. triple-DES for password encryption?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT