Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Determining the encryption used

From: Phoebe Tunstall <foibey () gmail com>
Date: Fri, 12 May 2006 20:42:44 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 May 2006 12:48:48 -0400
Tim <tim-pentest () sentinelchicken org> wrote:


For the purpose of a one-way function, neither MD5 nor SHA1 has been
broken.  AFAIK, they are only vulnerable to collision attacks, not first
preimage or second preimage attacks, which rely on different properties.
Using these functions for specific purposes (such as hashing passwords)
is perfectly fine right now.


I'm don't know a lot about these matters, but I was under the impression that if a password verification system is 
checking passwords against a hash table, all you needed was a collision (as this would hash to the correct value in the 
table and the comparison of the two would return true).

Is this really naive?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEZOU81vzgRTK71/IRAjBYAKDLJYVcBoZCQy3WR911TIlg5zcbgwCfRYen
W8wCDNBBA9HENfLAD/WOMPo=
=gjuD
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: