[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Hashing and entropy

From: Nathanael Hoyle <nhoyle@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Hashing and entropy
Date: Fri, 20 Jun 2008 13:32:46 -0400

Oliver Lavery wrote:

<snip>

The parameters of the problem as I see it are:
1) credit card numbers have roughly 10**16 distinct values, well below 2**128 (MD5) much less 2**160 (SHA1)

I would point out that the practical range may be narrowed by an attacker. IIRC, all Visa card numbers start with a 4, and all MasterCard ones start with a 5. These two cases account for a huge proportion of all CC numbers. In either of these cases, the range is 10**15 * 2, which is notably smaller. I agree with the rest of your conclusions. I am not specifically aware of prior publications dealing with this issue. As Martin suggests, this may be a better choice for reversible encryption with large keys derived from a sufficiently random entropy pool, so that the data itself need not provide the entropy.

-Nathanael


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Hashing and entropy
  - From: Amit Klein

References:
- Re: [WEB SECURITY] Hashing and entropy
  - From: Oliver Lavery

Prev by Date: Re: [WEB SECURITY] Hashing and entropy (was RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?)
Next by Date: Re: [WEB SECURITY] Hashing and entropy
Previous by thread: RE: [WEB SECURITY] Hashing and entropy
Next by thread: Re: [WEB SECURITY] Hashing and entropy
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site