Full Disclosure mailing list archives
Re: In case y'all didn't catch it yet...
From: Martin Eian <eian () samfundet no>
Date: Thu, 17 Feb 2005 15:59:45 +0100
One possibility is brute forcing password hashes. If one has this hash '988881adc9fc3655077dc2d4d757d480b5ea0e11', less time is now needed to brute force it and gain access to something.
Not really. Here's why:Bruce Schneier wrote that the research team had found collisions in SHA-1 in 2**69 operations. A collision won't help you brute force a password hash. What you just described is a preimage, not a collision.
From "Handbook of Applied Cryptography" [1], chapter 9, subsection 9.2.2, pages 323-324:
1. preimage resistance - for essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., to find any preimage x' such that h(x') = y when given any y for which a corresponding input is not known.
2. 2nd-preimage resistance - it is computationally infeasible to find any second input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x' =/= x such that h(x) = h(x').
3. collision resistance - it is computationally infeasible to find any two distinct inputs x,x' which hash to the same output, i.e., such that h(x) = h(x'). (Note that here there is free choice of both inputs.)
[1] http://www.cacr.math.uwaterloo.ca/hac/ -- Martin Eian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: In case y'all didn't catch it yet..., (continued)
- Re: In case y'all didn't catch it yet... Polarizer (Feb 16)
- Re: In case y'all didn't catch it yet... Polarizer (Feb 16)
- Re: In case y'all didn't catch it yet... Willem Koenings (Feb 16)
- Re: In case y'all didn't catch it yet... Bart . Lansing (Feb 16)
- Re: In case y'all didn't catch it yet... Tim (Feb 16)
- Re: In case y'all didn't catch it yet... Bart . Lansing (Feb 16)
- Re: In case y'all didn't catch it yet... Valdis . Kletnieks (Feb 16)
- Re: In case y'all didn't catch it yet... Bart . Lansing (Feb 16)
- Re: In case y'all didn't catch it yet... Lionel Ferette (Feb 17)
- Re: In case y'all didn't catch it yet... Vincent van Scherpenseel (Feb 17)
- Re: In case y'all didn't catch it yet... Martin Eian (Feb 17)
- Re: In case y'all didn't catch it yet... Willem Koenings (Feb 16)
- Re: In case y'all didn't catch it yet... Willem Koenings (Feb 16)
- Re: In case y'all didn't catch it yet... Bart . Lansing (Feb 16)
- Re: In case y'all didn't catch it yet... Willem Koenings (Feb 20)