Interesting People mailing list archives
Tech Review article about hashing passwords
From: David Farber <dave () farber net>
Date: Wed, 04 Aug 2004 14:52:49 -0400
Begin forwarded message: From: "Bosley, John - BLS" <Bosley.John () bls gov> Date: August 4, 2004 1:26:40 PM EDT To: "'Dave Farber (farber () cis upenn edu)'" <farber () cis upenn edu> Subject: Tech Review article about hashing passwords For IP if deemed worthy http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp <http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp> John Bosley Office of Survey Methods Research Room 1950, Bureau of Labor Statistics 202-691-7514 fax 202-691-7426 Fingerprinting Your Files"Hash" functions identify digital content with mathematical certainty—but is that enough to foil the hackers?
By Simson Garfinkel The Net Effect 8/04/2004 SUMMARY PRODUCED BY OS XWily hackers in Russia, China, and other countries send out piles of e-mail messages looking like they came from some financial institution such as Citibank or Paypal.... You're prompted to enter a username and password and then—wham—the hacker has the keys to your bank account.
...This makes memorization easier, but it means that an unscrupulous website operator can take a list of usernames and passwords from, say, an Internet sweepstakes site and use it to try to break into online bank accounts.
So Stanford cryptographers Blake Ross, Dan Boneh, and John Mitchell have designed a clever plug-in for Internet Explorer that solves this problem by scrambling what you type into the password field so every website sees a different password—a password that’s based both on what you type and on the domain of the website itself.
...The password scrambling method that the Stanford trio has devised is based on a mathematical function called a cryptographic hash—a kind of one-way function that transforms what the user types into a jumble of numbers and letters in a way that cannot be reversed. Because the Stanford system calculates the cryptographic hash of both the website’s domain and the user’s password, the hacker gets different passwords than the legitimate ones.
...When you type your password into the login screen, your browser takes your password, appends these characters provided by Yahoo!, and calculates the cryptographic hash of the resulting string.... Even if you are at a cybercafe having your Web traffic sniffed by Belgium hackers, there’s no way for the bad guys to take the resulting hash value and derive your original password.
...So that you can get an idea of how these fingerprinting functions work, we've embedded a JavaScript-based MD5 calculator below.
...The hash functions were envisioned as a kind of cryptographic compression system—a way to take a large file and crunch it down to a short string of letters and numbers.
...Because public-key cryptography involves a lot of heavy-duty math, hash functions make it almost as fast to sign an extremely long file as to sign a short file.
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Tech Review article about hashing passwords David Farber (Aug 04)