Re: [WEB SECURITY] Hashing and entropy

["Michel Arboi" <michel.arboi@xxxxxxxxx>]

On Fri, Jun 20, 2008 at 4:30 AM, Oliver Lavery
<oliver@xxxxxxxxxxxxxxxxxxx> wrote:

> 2) to be secured for the duration of their expiry, the hash of the CC number
> shouldn't be breakable for ~5 years

If you count 10 "real" digits in the card number, this means that the
attacker should be able to compute less than 60 hashes per second.
Considering that he may have a cluster, or some gizmo like a GPU, and
that he does not need to break any hash for sure but just be lucky,
you'll have to take a security margin, e.g. no more than 1 hash per
second.
I'm afraid this will seriously impair the performance of your
legitimate application.

Said in another way, the CC numbers are too short (or too predictable)
to be easily protected during such a long time.

If your system is monitored and you have a good chance to detect an
intrusion and blacklist the cards in e.g. less than five days, then
the attacker will have to compute 20000 hashes/s
You can afford to use 1 ms of computing time to hash a CC number and
still be "secure" in this scenario.

My $0.02

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA