lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050319183840.49492.qmail@smasher.org>
From: atom at smasher.org (Atom Smasher)
Subject: Re: choice-point screw-up and secure hashes

On Sat, 19 Mar 2005, Kurt Seifried wrote:

> Hashing SSN numbers and CC numbers doesn't matter unless you use a 
> really huge salt that is stored seperately. Why? Not enough variation. A 
> credit card number for example:
>
> 4520 1234 1234 1234
>
> except the first 4 digits (4520) are the bank code, so for example in 
> canada if you guess 4520 as the first 4 digits that's a safe guess since 
> it's a Visa from TD Canadatrust (one of the big 3 banks here). You're 
> now down to 10^12 which isn't a very huge search space. The same goes 
> for SSN's, they simply aren't long enough to be meaningful, in cannada 
> our SIN number (same idea as your SSN) is only 9 digits long. That's a 
> trivially shot search space.
====================

that's certainly a valid critique, that had occurred to me. and i'm sure 
somewhere out there is a good way to do it.


> To put it bluntly you basically can't store SSN/SIN/CC's in a "Secure" 
> manner that obscures them significantly enough to prevent an attacker 
> from brute forcing them unless you go to some extreme method, which 
> companies won't do.
>
> The sad part is there is NO (Zero, Nada, Zilch) incentive for companies 
> to treat this data securely. Information for a hundred thousand people 
> is stolen. So what? The company is not criminally liable in any way (I 
> haven't heard of any laws yet). Civilly they're barely liable either. 
> It'll be more of the same until we have laws with penalties for allowing 
> theft of customer data. To bad insurance won't work, when a physical 
> item is stolen it costs money to get a new one, and insurance companies 
> won't pay out unless you took due care/diligence, OTOH if you steal all 
> the electronic data (and even erase it) a company just restores from a 
> backup and goes on with life.
=================

agreed. it's beyond just being a technical problem, so just a technical 
solution is naive. there needs to be consequences when this type of data 
is compromised... having some executives make an appearance in DC and 
plead "please don't regulate us" isn't making the world more secure.


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"America may be the best country in the world, but that's
 	 kind of like being the valedictorian of summer school."
 		-- Dennis Miller

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ