WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: "Mark Curphey" <mark () curphey com>
Date: Thu, 1 Jul 2004 15:44:12 -0400
Hi Martin, Heuristically ? What tools ? Are you referring to Pseudo collisions ? If you can pick up a pattern (apart from its entropy) of any sort on the cipher text of a one way hash function then it is by definition broken, or am I missing something? I maybe wrong but you maybe referring to pseudo collisions as described by Hands Dobbertin in his paper in the 90's? If so there is a big difference between pseudo collisions and real world attacks (and his work was on MD4 not 5). I am not aware of any work proving real collisions, anyone ? Pre-computing dictionaries is one thing although implementations can be designed so this becomes impractical. Dictionary attacks will always be possible but again with a suitable salt and password entropy this should not be practical. As with most crypto (IMHO) the implementation usually lets the design down ! I am all for picking holes in implementations but I think need to be careful to say "there is always a way to recover the real password or login from a hash". -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, July 01, 2004 1:44 PM To: Dean Saxe Cc: webappsec () securityfocus com; forensics () securityfocus com Subject: RE: Securing encrypted data in RAM vs MSSQL Yep sure, it should harden the security of the hashes...depending of what kind of salt as well! :) But in that case some tools also improved and have heuristical techniques to go quicker. The time needed depends of the softwares you are using! IBM Watson's Lab. or the NSA Labs shounld do this quicker than my laptop! :) -----Message d'origine----- De : Dean Saxe [mailto:Dean.Saxe () DigitalInsight com] Envoyé : jeudi 1 juillet 2004 18:35 À : Bénoni MARTIN; Toro, Daniel; Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Objet : RE: Securing encrypted data in RAM vs MSSQL Shouldn't a salt value added to the plaintext before hashing effectively make this kind of a dictionary attack much more difficult, if not impossible, to perform since you would have to recover the salt and plaintext? -dhs -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, July 01, 2004 1:19 PM To: Toro, Daniel; Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Subject: RE: Securing encrypted data in RAM vs MSSQL Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take! The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform. BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries... :)
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)