[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Hashing and entropy

From: Amit Klein <aksecurity@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Hashing and entropy
Date: Fri, 20 Jun 2008 21:34:12 +0200

Nathanael Hoyle wrote:

Oliver Lavery wrote:
<snip>
The parameters of the problem as I see it are:
1) credit card numbers have roughly 10**16 distinct values, well below 2**128 (MD5) much less 2**160 (SHA1)
I would point out that the practical range may be narrowed by an attacker. IIRC, all Visa card numbers start with a 4, and all MasterCard ones start with a 5. These two cases account for a huge proportion of all CC numbers. In either of these cases, the range is 10**15 * 2, which is notably smaller.


It's much worse - check out http://en.wikipedia.org/wiki/Credit_card_numbers

-Amit

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- Re: [WEB SECURITY] Hashing and entropy
  - From: Oliver Lavery
- Re: [WEB SECURITY] Hashing and entropy
  - From: Nathanael Hoyle

Prev by Date: Re: [WEB SECURITY] Hashing and entropy
Next by Date: RE: [WEB SECURITY] Hashing and entropy
Previous by thread: Re: [WEB SECURITY] Hashing and entropy
Next by thread: Re: [WEB SECURITY] Hashing and entropy
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site