lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 Jun 2007 16:49:12 -0500
From: "Jason Miller" <jammer128@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Month of Random Hashes: DAY THREE

I still think this is useless. What am I going to do with hashes? This
whole Month of * BS is making me want to unsubscribe from the listing.

On 6/15/07, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> > but only one string can produce that md5 hash signature,
> > that sha1 hash signature, fucking that sha256 hash signature, fucking that
> > <any_other> hash signature, etc...
>
> Nope.  There's an infinite number of strings that would produce the same
> MD5/sha1/sha256/whatever hash.  The interesting point about such hashes is
> that although given a particular string A, we can *easily* compute the hash H.
> However, knowing H, we don't have a good way to recover A, nor do we have any
> easy way to compute a *second* string B that hashes to H.
>
> So, given a hash H, we know one of 3 things is true:
>
> 1) The person we got H from has A, and easily computed H.
> 2) The person doesn't have A, but does have either a way to use several million
> CPU-years or a crypto breakthrough to compute some string B that also hashes to H
> 3) The person just pulled a pseudo-random string of bits out of their ass,
> called it H, and has as little clue about A and B as we do.
>
> At the current time, (2) is believed to be impractical, and (3) fails the
> instant the person actually has to produce A itself.  As a result, we can
> usually presume that if they have a hash H, they've got the A it hashed from.
>
> This becomes interesting if you want to prove that you have a prior claim on
> something, without revealing the something (for instance, an advisory or PoC
> for something while you're still working with a vendor about fixing it) - you
> can (for instance) post the hash of it on May 1, release the announcement on
> July 1, and when others dispute your claim you knew about it on May 1, you can
> point to the hash from May 1, and show it's the same as the hash of your July 1
> announcement, and thus prove you knew about it back on that date.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ