lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2df3b0cb0706151932k70318eb7ye4b4a2c6b56724d@mail.gmail.com>
Date: Fri, 15 Jun 2007 23:32:50 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: "Jason Miller" <jammer128@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Month of Random Hashes: DAY THREE

On 6/15/07, Jason Miller <jammer128@...il.com> wrote:
I still think this is useless. What am I going to do with hashes? This
whole Month of * BS is making me want to unsubscribe from the listing.

Jason, do it please...

Dessent,
did I mentioned concatenated hashes?
you trippin man...

Kletnieks,
it's possible but it is not a rule.

so if the number of NON-CONCATENATED hashes tends to infinite, your chances
tend to zero.

> On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> > but only one string can produce that md5 hash signature,
> > that sha1 hash signature, fucking that sha256 hash signature, fucking
that
> > <any_other> hash signature, etc...

My "etc" means "fucking that <any_other> hash signature" INFINITE times...




On 6/15/07, Jason Miller <jammer128@...il.com> wrote:
>
> I still think this is useless. What am I going to do with hashes? This
> whole Month of * BS is making me want to unsubscribe from the listing.
>
> On 6/15/07, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> > On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> > > but only one string can produce that md5 hash signature,
> > > that sha1 hash signature, fucking that sha256 hash signature, fucking
> that
> > > <any_other> hash signature, etc...
> >
> > Nope.  There's an infinite number of strings that would produce the same
> > MD5/sha1/sha256/whatever hash.  The interesting point about such hashes
> is
> > that although given a particular string A, we can *easily* compute the
> hash H.
> > However, knowing H, we don't have a good way to recover A, nor do we
> have any
> > easy way to compute a *second* string B that hashes to H.
> >
> > So, given a hash H, we know one of 3 things is true:
> >
> > 1) The person we got H from has A, and easily computed H.
> > 2) The person doesn't have A, but does have either a way to use several
> million
> > CPU-years or a crypto breakthrough to compute some string B that also
> hashes to H
> > 3) The person just pulled a pseudo-random string of bits out of their
> ass,
> > called it H, and has as little clue about A and B as we do.
> >
> > At the current time, (2) is believed to be impractical, and (3) fails
> the
> > instant the person actually has to produce A itself.  As a result, we
> can
> > usually presume that if they have a hash H, they've got the A it hashed
> from.
> >
> > This becomes interesting if you want to prove that you have a prior
> claim on
> > something, without revealing the something (for instance, an advisory or
> PoC
> > for something while you're still working with a vendor about fixing it)
> - you
> > can (for instance) post the hash of it on May 1, release the
> announcement on
> > July 1, and when others dispute your claim you knew about it on May 1,
> you can
> > point to the hash from May 1, and show it's the same as the hash of your
> July 1
> > announcement, and thus prove you knew about it back on that date.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Marcio Barbado, Jr.
==============
==============

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ