[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BY2PR03MB554FA8D99ABAF59026A5EF6A71C0@BY2PR03MB554.namprd03.prod.outlook.com>
Date: Fri, 6 Mar 2015 21:26:38 +0000
From: Marsh Ray <maray@...rosoft.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: RE: [PHC] PHC output specifics
From: Thomas Pornin [mailto:pornin@...et.org]
> To be unambiguous, one has to also specify the normalization. Unicode defines NFC, NFD, NFKC
> and NFKD. In general, NFC is what you get from existing user interfaces, so standardizing on
> NFC is probably the best idea. But that is debatable (and debated).
Yeah, Unicode greatly complicates secure string comparisons. I once printed out the algorithm for doing "case insensitive string comparison" correctly. It was literally like 40 pages of rules.
Since that experience, I've been a fan of the way RFC 2865 [RADIUS] handles password encoding issues, without getting too bogged down in the details of Unicode.
http://tools.ietf.org/html/rfc2865 :
Text contains UTF-8 encoded 10646 characters and
String contains 8-bit binary data. Servers and
servers and clients MUST be able to deal with embedded nulls.
...
It is recommended that
the message contain UTF-8 encoded 10646 [7] characters.
I figure any PHC recommendation would be at https://tools.ietf.org/html/rfc2119 'SHOULD' level.
Does anyone object to wording like this?
"For best interoperability of credentials, character data
SHOULD be a UTF-8 encoded sequence of ISO 10646 characters."
- Marsh
-----Original Message-----
From: Thomas Pornin [mailto:pornin@...et.org]
Sent: Thursday, March 5, 2015 5:40 PM
To: discussions@...sword-hashing.net
Subject: Re: [PHC] PHC output specifics
On Thu, Mar 05, 2015 at 06:33:22PM +0000, Gregory Maxwell wrote:
> But it should also be specified that UTF-8 is used.
UTF-8 is only part of it. For instance, a glyph like "é" (a common letter in French) admits two distinct representations in UTF-8:
C3 A9, and 65 CC 81. Neither is more correct than the other; but they will yield distinct hash values.
To be unambiguous, one has to also specify the normalization. Unicode defines NFC, NFD, NFKC and NFKD. In general, NFC is what you get from existing user interfaces, so standardizing on NFC is probably the best idea. But that is debatable (and debated).
See:
http://unicode.org/reports/tr15/
http://unicode.org/faq/normalization.html
http://www.win.tue.nl/~aeb/linux/uc/nfc_vs_nfd.html
--Thomas Pornin
Powered by blists - more mailing lists