lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: Re: choice-point screw-up and secure hashes

Good job! You've reduced by 99% the number of people who understand that the SSN is still being stored as plaintext in the database.

This should result in 100% efficacy for defense against lawsuits and other complex liability that would otherwise arise out of pure neglect and incompetency.

I suspect that CA1386 could be circumvented entirely if companies would just follow your advice. Why should anyone notify anyone else of a theft involving a bunch of ?secure hashes? ... After all, they're not SSN's any longer, and thus can't be considered personal confidential information.

Here's a general rule for everyone to follow:

obscurity = 0;
while(!obscurity) {obscurity += salt;}
...
if(security_incident && obscurity) {ignore_danger = true;}
...
if(neglect + incompetency + obscurity == best_practices) {security_business_profits += google;}


-----Original Message-----
From: Atom Smasher <atom@...sher.org>
Date: Fri, 18 Mar 2005 02:37:07 
To:recipient list not shown: ;
Subject: choice-point screw-up and secure hashes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

it seems that the recent choice-point screw-up could have been avoided if 
they read (and understood!) applied cryptography. apparently no one at 
choice-point understands what cryptographic function a secure hash can 
serve.

let's say that someone's SSN is 123-45-6789. storing that in a db might 
seem like a necessity, but what's *really* needed is a unique 
identifier... this could be achieved by hashing the SSN with a salt. using 
a salt of "19740704" (which could be read as the fourth of july, 1974):
 	SHA-256(19740704:123-45-6789)
the unique identifier becomes:
 	f7aa0fbbbe6e20a05dfe9634f30a145702b9bb0b

so, taking two known identifiers (SSN and DOB, neither of which are likely 
to change over the course of one's life) we can create a unique identifier 
that serves just as well as an SSN in nearly any db, but it's near useless 
if the data is compromised. if someone obtained a db filled with names, 
addresses, DOBs and hashed identifiers they would have a long way to go in 
obtaining anyone's SSN (and quite a long way to go in obtaining a 
significant list of SSNs). OTOH, if someone legitimately applies for a 
credit card, loan, etc, they would supply their SSN and DOB, which can be 
hashed and verified just as easily as if the db contained actual SSNs.

(as described above, the construct may be over-simplified. particularly, a 
stronger salt would be a good idea.)

of course a db with actual SSNs could also be maintained, but it could be 
kept under much tighter control (ie: NOT SOLD TO ANYONE; used only for 
internal QC/QA; used when hash algorithms need to be changed).

btw, if anyone at choice-point is reading this i'm looking for a new job.


- -- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Man cannot pretend to he higher in ethics,
 	 spirituality, advancement, or civilization than
 	 other creatures, and at the same time live by
 	 lower standards than the vulture or hyena."
 		--  H Jay Dinshah, Out of the Jungle

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJCOoUpAAoJEAx/d+cTpVciimkH/2WpLWwCplNC/CXlfImiTdvd
d5PguTZlcixwKgFF+4M7oJ8IbscUS6UITJZ9CYLHyCL4iYOLTPgHBg1LDdk2iiI2
2yUXJPQSQAPBKrD2pwjBFtFe5WG2R5wcwWgKvhlqX4Ie38Fjni+BFFwrRw+FuVv2
3/6ZFEH8swR7g/EhhO3YTA77smdLFs9mHcbj9RHe2Nd2XyWycVJkAJtiZ/afVvkX
CdSuXmkzsjXzR+tsWQ5xZ2P1ihxX1u8eFPO1mDXYqe1T/VQ/4RIq4/n+wqnqU7/y
OJlKftWniu/aBCbSw8uZ3c7H2xT5KlUFSu5xhVYi8GxzTetb/fYcNmICL6lgeLs=
=RhR0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ