Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: T Biehn (tbiehngmail.com)
Date: Mon Aug 10 2009 - 18:34:07 CDT
Thank you for the thoughtful analysis Raid. The hash and salt are both
known to the attacker :)
It looks like I'm going to have to settle with confounding efforts by
the man via increased hash computation cost.
On Mon, Aug 10, 2009 at 6:53 PM, <raidhushmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Mon, 10 Aug 2009 22:50:32 +0200 T Biehn <tbiehngmail.com> wrote:
>>I don't have control over the set. Sorry I wasn't more explicit
>>this. Although, it should have been obvious that the solution
>>to satisfy the conditions:
>>Data to one way hash.
>>The set has 9,999,999,999 members.
> if these are the only two conditions, I wonder why a static salt
> does not satisfy your requirements? If the salt is not publicly
> known, the procedure is secure in respect to the hash-function in
> So, suppose the third condition is the salt may be publicly known.
> Suppose, we have plaintext (alphabet E, length of alphabet s = |E|)
> with fixed length, say 'c' chars. So if you insert the salt at a
> random position, there are c+1 possibilities for the position of
> the salt. So the bruteforce attacker has to run c more tests than
> having the salt in a fixed position.
> Comparing the two procedures under a theoretically view, there isnt
> a significant difference in terms of runtime complexity:
> If the salt is not publicly known and at a fixed position,
> complexity (means: number of possible plaintexts) is at O(s**c).
> Your method only rises complexity by a constant factor: It's at O(
> (c+1) * s**c).
> Theoretically this is negligible: If it takes me 2 hours to
> bruteforce procedure 1 (fixed position), why bother about 20 hours
> computing for procedure 2?
> Practically it depends on your overall requirements.
> Besides, your procedure lowers the latch for DoS... at least
> slightly (same argument as above).
> So far, my two cents...
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
> -----END PGP SIGNATURE-----
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
pgp http://pastebin.com/f6fd606da pgp
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/