Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:11 ADT
Adam Shostack (adam@homeport.org)
Mon, 29 Jun 1998 08:37:13 -0400 (EDT)
Just a minor point, but the final hash is less useful to me as an
attacker than the initial password, because people tend to use the
same password in multiple places. Thus, while equivallent for
attacking the system targeted, they'relikely to be not equivallent for
the environment as a whole.
Adam
Steve Reid wrote:
| On Sun, 28 Jun 1998, Simon R Knight wrote:
| > If passwords or passphrases never appear in memory, then they
| > can't be written to a swapfile, so one solution that I find
| > presenting itself, is the possibility of hashing of each character as
| > it is entered at the keyboard. A hash of character one, and a hash of
| > character two, being hashed together to create a new value which can
| > then be hashed with a hash of the third character ... and so on.
|
| This doesn't strike me as a very good idea. If the attacker can get the
| final hash, he has the secret key. If he can get each individual
| keystroke hash, he can compute the final hash as easily as you can.
| Also, if he can get each individual keystroke hash, he can easily deduce
| the keys being typed- just hash every possible keystroke (there aren't
| very many) until he finds a match, then move on to the next keystroke.
|
| No matter how you slice it, the secret _has_ to be in memory for the
| software to use it. Whether the secret is a passphrase or some
| complicated hash of a passphrase doesn't matter.
|
|
-- "It is seldom that liberty of any kind is lost all at once." -Hume
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:11 ADT