Penetration Testing mailing list archives
Re: Cryptographic Functions
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 19 Aug 2009 12:53:32 -0700
On Wed, Aug 19, 2009 at 08:31:33AM +0200, M.D.Mufambisi wrote:
Ok. Thanks. I have an SHA-1 hash of a file and the digest is DA39A3EE5E6B4B0D3255BFEF95601890AFD80709. Is this160 bit? How does the output map to 160 bits?
That hash is 40 characters, and since each hex digit is 4 bits, 40 x 4 = 160 bits. This might help: An Illustrated Guide to Cryptographic Hashes http://unixwiz.net/techtips/iguide-crypto-hashes.html Steve
On 8/18/09, Shailesh Rangari <shailesh.sf () gmail com> wrote:Hi Munyaradzi, On Tue, Aug 18, 2009 at 2:02 PM, Jeffrey Walton <noloader () gmail com> wrote:Hi Munyaradzi,When a passphrase is used a key in symetric cryptography, how does the pass phrase map to the key in an algorithm like AESThe passphrase should be derived using a KDF. KDFs includes salts and iteration counts. Quite a few bodies offer guidance on KDFs - NIST, RFC, IETF, and ANSI to name a few.how many letters correspond to 1 bit?Don't know what you are asking here. The KDF should provide sufficent 'mixing' such that no information can be gained from 1 bit of output (either 1 or 0 is equally probable). Otherwise, its not a very good KDF.I second that. Also, assuming that a strong Hash Function is being used, then it is difficult to ascertain how many letter(s) would correspond to 1 bit - for one of the essential properties of a Hash Function is that it takes in an 'Arbitrary' length of input(key, passphrase, message, etc) and converts it into a 'Unique', 'Fixed' length output (hash). A Key Len of 128, 256, 512 Bit if hashed with SHA-1, then the output would necessarily be 160 Bits only.Jeff On 8/18/09, M.D.Mufambisi <mufambisi () gmail com> wrote:Hello people. 1. When a passphrase is used a key in symetric cryptography, how does the pass phrase map to the key in an algorithm like AES? ie....how many letters correspond to 1 bit? etc? Regards Munyaradzi Mufambisi------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Stephen J Friedl | Security Consultant | UNIX Wizard | 714 694-0494 steve () unixwiz net | Orange County, CA | Microsoft MVP | unixwiz.net ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Cryptographic Functions M.D.Mufambisi (Aug 18)
- Re: Cryptographic Functions M.B.Jr. (Aug 18)
- Re: Cryptographic Functions Jeffrey Walton (Aug 18)
- Message not available
- Re: Cryptographic Functions M.D.Mufambisi (Aug 19)
- Re: Cryptographic Functions Jeffrey Walton (Aug 19)
- Re: Cryptographic Functions M.D.Mufambisi (Aug 19)
- Re: Cryptographic Functions Steve Friedl (Aug 19)
- Message not available
- Re: Cryptographic Functions David Howe (Aug 19)
- Re: Cryptographic Functions Jan Schejbal (Aug 21)