[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Hashing and entropy

From: "Lavery, Oliver" <oliver@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Hashing and entropy
Date: Mon, 23 Jun 2008 18:23:31 -0500

------_=_NextPart_001_01C8D588.C68F5C66
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

---
If you count 10 "real" digits in the card number, this means that the
attacker should be able to compute less than 60 hashes per second.
---

How did you arrive at this number? I'm not doubting it, just very =
curious.


---
If your system is monitored and you have a good chance to detect an
intrusion and blacklist the cards in e.g. less than five days, then
the attacker will have to compute 20000 hashes/s
You can afford to use 1 ms of computing time to hash a CC number and
still be "secure" in this scenario.
----

Good point that. I'm not sure 5 days is enough, but a shorter timeframe =
than the life of the card is probably a more reasonable goal.=20

20000 hashes per second is nothing on modern hardware, although it =
depends on the algorithm, of course.

Cheers,
~ol

---
Oliver Lavery
Security Compass
http://www.securitycompass.com/

------_=_NextPart_001_01C8D588.C68F5C66
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: [WEB SECURITY] Hashing and entropy</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>---<BR>
If you count 10 &quot;real&quot; digits in the card number, this means =
that the<BR>
attacker should be able to compute less than 60 hashes per second.<BR>
---<BR>
<BR>
How did you arrive at this number? I'm not doubting it, just very =
curious.<BR>
<BR>
<BR>
---<BR>
If your system is monitored and you have a good chance to detect an<BR>
intrusion and blacklist the cards in e.g. less than five days, then<BR>
the attacker will have to compute 20000 hashes/s<BR>
You can afford to use 1 ms of computing time to hash a CC number and<BR>
still be &quot;secure&quot; in this scenario.<BR>
----<BR>
<BR>
Good point that. I'm not sure 5 days is enough, but a shorter timeframe =
than the life of the card is probably a more reasonable goal.<BR>
<BR>
20000 hashes per second is nothing on modern hardware, although it =
depends on the algorithm, of course.<BR>
<BR>
Cheers,<BR>
~ol<BR>
<BR>
---<BR>
Oliver Lavery<BR>
Security Compass<BR>
<A =
HREF=3D"http://www.securitycompass.com/";>http://www.securitycompass.com/<=
/A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C8D588.C68F5C66--

References:
- Re: [WEB SECURITY] Hashing and entropy
  - From: Michel Arboi

Prev by Date: RE: [WEB SECURITY] Hashing and entropy
Next by Date: [WEB SECURITY] Re: [Full-disclosure] The Extended HTML Form attack revisited
Previous by thread: Re: [WEB SECURITY] Hashing and entropy
Next by thread: RE: [WEB SECURITY] Hashing and entropy
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site