| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140307232257.GA27029@openwall.com>
Date: Sat, 8 Mar 2014 03:22:57 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Are password trailing 0's a problem?
On Fri, Mar 07, 2014 at 05:21:06PM -0500, Bill Cox wrote:
> On Fri, Mar 7, 2014 at 11:49 AM, CodesInChaos <codesinchaos@...il.com> wrote:
> > As an example with nice printable characters in both passwords:
> >
> > `plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd`
> > and `eBkXQTfuBqp'cTcar&g*` have the same PBKDF2-HMAC-SHA1 hash (no
> > matter the salt or the number of iterations).
> >
> > I found those with a CPU and unoptimized code. One of our GPU hashing
> > friends could easily find a similar pair for PBKDF2-HMAC-SHA-256.
>
> Sweet. I assume the only difficulty is finding a printable character
> hash, which is something like 70 out of 256 values, so the printable
> hashes for HMAC-SHA256 would be 1 in (70/256)^32. We'd have to search
> about 1e18 to find one, so a billion billion... definitely time for a
> GPU farm.
There are 95 printable 7-bit ASCII characters, not 70. The attached
trivial program may do the trick in a couple of weeks on a fast server.
I've already found such "collisions" for 8-bit printable ASCII, and made
sure they do indeed work for scrypt as a whole as well (confirmed).
Alexander
View attachment "sha256print.c" of type "text/x-c" (1526 bytes)
Powered by blists - more mailing lists