lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 14 Apr 2014 14:46:55 +0100
From: Darren J Moffat <Darren.Moffat@...cle.COM>
CC: Bill Cox <>
Subject: Re: [PHC] Do we need a common password hashing API?

On 04/14/14 14:35, Bill Cox wrote:
> On Mon, Apr 14, 2014 at 4:09 AM, Alec Muffett <
> <>> wrote:
>     Hey Alexander!
>     Before throwing the baby out with the bathwater I would suggest
>     getting in touch with Casper and Darren who are still at that
>     company and might be able to give you some insight into the patent.
>     I left Sun in 2009 when Sun got bought out, but back then the plan
>     was to make it patented but not enforced, ie: to stop some bad guy
>     doing the same and blocking out the Internet community.
>     Evidence of this would include that the SHA512 process borrows some
>     ideas from SunMD5 ("rounds=N" in the cipher, etc) because Casper (if
>     I remember correctly?) participated in that process with RedHat.
>       I'll cc: them on this mail. I don't know whether if then reply
>     whether it would bounce?
>          - alec
> I read the patent.  Every claim depends on building a system that can
> support new hashing algorithms without changing source code, and instead
> only configuration files.  This is a great idea, but having to recompile
> to support new algorithms isn't all that bad.  For one thing, it allows
> us to use enumerated types in the interface for selection of the
> algorithm, while we'd have to use strings otherwise.

**** Note that this is not in any way legal advice nor an official 
statement from Oracle. ****

That was the intent of the patent because recompiling is a big deal for 
systems that are not open source - and even sometimes those that are. 
There was no intention to patent the SunMD5 password hash itself so I 
wouldn't expect any claims about it in the patent.

At the time this was developed for Solaris which was closed source, much 
much later an implementation of this became available under the CDDL as 
part of OpenSolaris.  You can find a copy of that implementation in the 
Illumos git hub source here:

**** Note that this is not in any way legal advice nor an official 
statement from Oracle. ****

Darren J Moffat

Powered by blists - more mailing lists