Penetration Testing mailing list archives
Re: Determining the encryption used
From: Tim <tim-pentest () sentinelchicken org>
Date: Sat, 13 May 2006 13:01:47 -0400
Hello Phoebe,
I'm don't know a lot about these matters, but I was under the impression that if a password verification system is checking passwords against a hash table, all you needed was a collision (as this would hash to the correct value in the table and the comparison of the two would return true).
Yes, any hash function will be subject to collisions on arbitrary inputs. However, the vulnerabilities found in MD5 and SHA1 don't involve taking an existing hash and generating collisions against it. They involve generating two seperate hashes which have a collision. This seems like a very minor distinction at first, but it is actually a very different type of attack. Normally it should be very difficult to generate any collision at all against secure hash functions, let alone using useful inputs.
Is this really naive?
Somewhat. A summary of the three desired properties of a hash function can be found here: http://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_properties The collision attacks found can break the security of cryptographic signatures, since attackers potentially have control over multiple hash inputs. Where an attacker has control over only one input, (but knows the value of it), collisions can only be generated by breaking the second preimage property. Reversing a hash to an original unknown value, requires a (first) preimage attack. Collision attacks are much easier to conduct due to the birthday "paradox". Just because this property of a hash has been broken, doesn't mean the others have. HTH, tim ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Re: Determining the encryption used, (continued)
- Re: Determining the encryption used Art Cooper (May 12)
- Re: Determining the encryption used Tim (May 12)
- Re: Determining the encryption used Rodrigo Ramos (May 12)
- Re: Determining the encryption used Tim (May 12)
- Re: Determining the encryption used Byron Sonne (May 12)
- Re: Determining the encryption used Peter Kosinar (May 12)
- Re: Determining the encryption used Tonnerre Lombard (May 12)
- Re: Determining the encryption used Tim (May 12)
- Re: Determining the encryption used Phoebe Tunstall (May 12)
- Re: Determining the encryption used Peter Kosinar (May 13)
- Re: Determining the encryption used Tim (May 13)
- Re: Determining the encryption used Tim (May 12)
- RE: Determining the encryption used Sahir Hidayatullah (May 12)
- Re: Determining the encryption used thomas springer (May 12)
- Re: Determining the encryption used Dotzero (May 12)
- Re: Determining the encryption used iccs-abr (May 12)
- RE: Determining the encryption used Bob Bell (rtbell) (May 12)
- Re: Re: Determining the encryption used cwright (May 12)