Full Disclosure mailing list archives
Re: Re: choice-point screw-up and secure hashes
From: "Jason Coombs" <jasonc () science org>
Date: Sat, 19 Mar 2005 23:02:36 +0000 GMT
reverse hashing
By reverse hashing you mean defeating the protection by forward hashing all possible SSNs, presumably. -----Original Message----- From: Valdis.Kletnieks () vt edu Date: Sat, 19 Mar 2005 17:38:09 To:Atom Smasher <atom () smasher org> Cc:Jason Coombs <jasonc () science org>, Full-Disclosure <full-disclosure () lists grok org uk> Subject: Re: [Full-disclosure] Re: choice-point screw-up and secure hashes On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said:
tell ya what... here's my SSN hashed with a salt: =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440 as soon as you recover my SSN, just let me know.
Tell you what - give me the salt and the hash algorithm, and it will be quick work indeed. Remember that the company probably needs an *invertible* function as they need to be able to access the original value, so the trick of "hash the SSN and see if you get the same to compare for equality" isn't usable. You can use a one-way function if the only question is "Is 109-00-4368 the SSN for Customer XYZ?". If you need to be able to answer "What is Customer XYZ's SSN?" you need an invertible function. And if you ever do a database JOIN based on SSN, you need the SSN. And the sad fact is that if the company's servers are compromised sufficiently to recover the hashed SSN, they're almost certainly compromised sufficiently to allow the theft of the software that handles the forward and reverse hashing. So considering the salt and the algorithm secure if the hash has been compromised is probably a bad idea.. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: choice-point screw-up and secure hashes, (continued)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Jason (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)