[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] PasswordDigest in Username profile
Rich, I don't understand your comment. Why would SHA-1( password + nonce + created ) be "harder for crackers" than SHA-1( nonce + created + password )? My understanding of the SHA algorithm is that ordering the input differently does not change the "one-way" aspect of the hash. I do believe, however, that increasing the length of the data being hashed beyond 448 bits would double the amount of processing necessary to brute force the digest to recover the password; so for example using a password that was more than 12 characters would require a two block computation. That said there would be a reduction of labor if the (nonce + created) summed to 56 8-bit characters. The amount of labor required to "brute-force" calculate a two block hash would essentially be cut in half eliminating one of the benefits of using a long password. The example given on page 10 of the profile does not have this property since the (nonce + created) has 44 characters. -Eric Eric Gravengaard Secure XML Reactivity XML Firewall 617-256-0328 (mobile) 650-551-7891 (office) eric@reactivity.com -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Thursday, September 04, 2003 6:44 PM To: wss@lists.oasis-open.org Subject: [wss] PasswordDigest in Username profile In order to make things harder for crackers, shouldn't the password be the *first* thing hashed, not the last? /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]