WebApp Sec mailing list archives
Re: Securing encrypted data in RAM vs MSSQL
From: Ivan Krstic <krstic () fas harvard edu>
Date: Fri, 02 Jul 2004 15:45:59 +0100
Bénoni MARTIN wrote:
Humm...in my crypto courses, I learnt that encrypting several times a password does not enhance the security level of it. Is it the same for a hash? I don't know...Somene has a clue? And I think that hashing 50 times a password would slow down the hacker...wut us as well! :)
Because of the inherent weaknesses of non-perfect hash functions (partial message collisions and length extensions) you are well advised to never use a hash function once. Instead, using h_dbl(m) := h(h(m)||m) where h(m) is the hash function with plaintext m is a better option as it is believed it solves both of the weaknesses.
Of course, this precludes you from being able to hash a datastream on the fly, so if that's important, you have to find a better way to protect yourself.
Cheers, Ivan.
Current thread:
- RE: Securing encrypted data in RAM vs MSSQL, (continued)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)