Comments for root labs rdist

Comment on On the evolving security of password schemes by Nate Lawson

Nate Lawson — Sun, 05 Feb 2012 20:24:33 +0000

Yes, that falls under option 3 in the above list (responses).

However, your particular strategy requires users to keep changing their username if your site encounters a persistent DoS attack. Since usernames should not have to be secret, it seems poor.

Comment on On the evolving security of password schemes by Francisco Corella

Francisco Corella — Sat, 04 Feb 2012 05:31:56 +0000

To protect against online password guessing it is possible to limit the total number of guesses that an attacker can make against a password, rather than the guess rate. That can be done by using two counters: a counter of consecutive bad guesses, which is reset after a good guess; and a cumulative counter of bad guesses, which is NOT reset after a good guess. After the first counter reaches, say, 5 guesses, the password is disabled and must be reset. After the second counter reaches, say, 30 guesses, the user is asked to change the password. The username associated with the password can be changed to counter a denial-of-service attack by submitting bad guesses. For more details, see http://pomcor.com/whitepapers/protecting_against_password_guessing_attacks.pdf.

Comment on Why stream ciphers shouldn’t be used for hashing by Nate Lawson

Nate Lawson — Thu, 02 Feb 2012 19:56:04 +0000

Absolutely.

Chosen key resistance is much harder than related key resistance, and to use a cipher (stream or block) as a hash function, it needs to be strong against both. That’s the summary of this article.

Comment on Why stream ciphers shouldn’t be used for hashing by Eloi Vanderbeken

Eloi Vanderbeken — Wed, 01 Feb 2012 09:11:44 +0000

An other big problem is that RC4 is not resistant to first and second preimage attacks and absolutely not collision resistant if you use 256 bits key.

It’s really easy to find 2 keys that generate the same first bytes of keystream.
Even for “long” keystreams as an example :

data 1 :
5d8f3b1fd7451db4da66368d48aaeacc19619c4ed23cb32f4eb11a8a0a9a62f94add5f1208adcfb0fccc51ec2e4e40f3bfa819129707804143b8cd68bb029d9f7d64312a9e528a7c1c5113e691c93dca81b05bee42be444bf14d25f0c960356cea1ce1efaf516c77dbbe583fbf1e4ba4bed8b791d14f1fca6f93795db45cf6c50e5afc13de18f25dbb73274e09b50527ad32a5ccf328da5412b436664653ec9463595870e1ab586ceefcbb47ac3db2626ff0bfc17524dbc4289c274cf7da51546b1b508c3386159f5b96626067c2cafb7cc69c69bb3600e8fc82f82aca470ea8a619e657e41ad50e84f00637abd52a0853d21143354b112a56f1354f54807f

and data 2 :
00fffffffafef9f9fdf7f7f3f9f0f3f6eef1f1e1efe4f1ecdff7d8ece1edcfebdbf2d6dee9bee2d5f4c3edb4eddab3e0dfc9cec0d4c5c8ded598e9c0d0abbaedb4b9d6acc59ebcade19fb2c7bd83b0d4bca684e8a38ae27bcfb4926cdda2a68083dd788ab3a7d35e71f081927eb37f9d5cb3708f74c9667a9a9d6ec79d5b79b82ec05f359b6bc25e8f794a9b52958b2cab11d15ca9531dcf3a8b1149e441524f629d561d554351579cfbeddf45d72c5e0596f4d6d0b9d09ed3b8e144c520ef6a5beeb4703fed094c68df335a4790fbd54c52503cf5649db2145d2b2c6db65b68198b578b8ba965325efaf8035cf80ca985a09c71bccce90f99c1378a409527b7

generate the same first 248 bits of keystream :

80dc5f0cbf84ae113ab8dd9bacfb9e9351e95d01e24fed9c18a5722ce69704

Comment on Why stream ciphers shouldn’t be used for hashing by Nate Lawson

Nate Lawson — Wed, 01 Feb 2012 05:56:09 +0000

I’m somewhat allergic to password hashing posts, so you’ll have to make do with this:

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

Comment on Why stream ciphers shouldn’t be used for hashing by Andrew Jamieson

Andrew Jamieson — Wed, 01 Feb 2012 01:01:46 +0000

I think it may be worthwhile having a post on the differences between using hashes for securing passwords, and using hashes for securing data integrity / authenticity (as part of a signature). I see many people get this wrong, in terms of confusion around the differences between collision and pre-image recovery and how they relate to the two common uses for hashing.