[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: About: CONFIG_FEATURE_SHA1_PASSWORDS
From: Jason Schoon <floydpink () gmail ! com>
Date: 2006-01-30 22:41:44
Message-ID: 78a54e1b0601301441g68f1f23n5e2a0becb7b90051 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I don't know if I would say either is more secure than the other anymore.
SHA1 has problems of its own:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
I think it would be prudent though to just include the necessary missing
files and have both MD5 and SHA1 as options.
On 1/30/06, Rob Landley <rob@landley.net> wrote:
>
> On Monday 30 January 2006 14:07, Tito wrote:
> > Hi,
> > It seems to me that CONFIG_FEATURE_SHA1_PASSWORDS is broken:
> >
> > 1) It is not in our config system
> > 2) it is used only in these files:
> > /busybox/include/libbb.h
> > /busybox/include/usage.h
> > /busybox/libbb/pw_encrypt.c
> > 3) it needs at least two more files
> > sha1.c
> > sha1.h
> > to compile (they could be found in some versions of tinylogin)
>
> And the current implementation makes no use whatsoever of the salt value
> you
> just added.
>
> > So should we fix it and add the missing files, the entries in Config.in
> > and in the makefiles or should we remove all references to it.
> >
> > Some hints?
>
> I believe it's a generally more secure algorithm than md5. People can no=
w
> synthesize md5 hash collisions (although not necessarily collisions for a
> _specific_ hash...)
>
> http://eprint.iacr.org/2005/075
>
> Of course if they grab your file of encrypted keys they can brute force
> the
> human-typeable keyspace in a finite amount of time on a modern laptop
> anyway.
>
> SHA1 is what git is based on.
>
> > Ciao,
> > Tito
>
> Rob
> --
> Steve Ballmer: Innovation! Inigo Montoya: You keep using that word.
> I do not think it means what you think it means.
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://busybox.net/cgi-bin/mailman/listinfo/busybox
>
[Attachment #5 (text/html)]
I don't know if I would say either is more secure than the other anymore. SHA1 \
has problems of its own:<br><a \
href="http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html">http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
</a><br><br>I think it would be prudent though to just include the necessary missing \
files and have both MD5 and SHA1 as options.<br><br><br><br><div><span \
class="gmail_quote">On 1/30/06, <b class="gmail_sendername">Rob Landley </b> <<a \
href="mailto:rob@landley.net">rob@landley.net</a>> wrote:</span><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;">On Monday 30 January 2006 14:07, Tito wrote: <br>> \
Hi,<br>> It seems to me that CONFIG_FEATURE_SHA1_PASSWORDS is \
broken:<br>><br>> 1) It is not in our config system<br>> 2) it is used only \
in these files:<br>> /busybox/include/libbb.h<br>> /busybox/include/usage.h
<br>> /busybox/libbb/pw_encrypt.c<br>> 3) it needs at least two \
more files<br>> sha1.c<br>> sha1.h<br>> \
to compile (they could be found in some versions of tinylogin)<br><br>And the current \
implementation makes no use whatsoever of the salt value you <br>just \
added.<br><br>> So should we fix it and add the missing files, the entries in <a \
href="http://Config.in">Config.in</a><br>> and in the makefiles or should we \
remove all references to it.<br>><br>> Some hints? <br><br>I believe it's a \
generally more secure algorithm than md5. People can now<br>synthesize md5 \
hash collisions (although not necessarily collisions for a<br>_specific_ \
hash...)<br><br><a href="http://eprint.iacr.org/2005/075"> \
http://eprint.iacr.org/2005/075</a><br><br>Of course if they grab your file of \
encrypted keys they can brute force the<br>human-typeable keyspace in a finite amount \
of time on a modern laptop anyway.<br><br>SHA1 is what git is based on. <br><br>> \
Ciao,<br>> Tito<br><br>Rob<br>--<br>Steve Ballmer: Innovation! Inigo \
Montoya: You keep using that word.<br>I do not think it means what you think it \
means.<br>_______________________________________________ <br>busybox mailing \
list<br><a href="mailto:busybox@busybox.net">busybox@busybox.net</a><br><a \
href="http://busybox.net/cgi-bin/mailman/listinfo/busybox">http://busybox.net/cgi-bin/mailman/listinfo/busybox</a><br></blockquote>
</div><br>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic