OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] PasswordDigest in Username profile


I don't understand your comment. Why would SHA-1( password + nonce + created ) be "harder for crackers" than SHA-1( nonce + created + password )? My understanding of the SHA algorithm is that ordering the input differently does not change the "one-way" aspect of the hash.

I do believe, however, that increasing the length of the data being hashed beyond 448 bits would double the amount of processing necessary to brute force the digest to recover the password; so for example using a password that was more than 12 characters would require a two block computation. That said there would be a reduction of labor if the (nonce + created) summed to 56 8-bit characters. The amount of labor required to "brute-force" calculate a two block hash would essentially be cut in half eliminating one of the benefits of using a long password. The example given on page 10 of the profile does not have this property since the (nonce + created) has 44 characters.


Eric Gravengaard
Secure XML
Reactivity XML Firewall
617-256-0328 (mobile)
650-551-7891 (office)

-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com]
Sent: Thursday, September 04, 2003 6:44 PM
To: wss@lists.oasis-open.org
Subject: [wss] PasswordDigest in Username profile

In order to make things harder for crackers, shouldn't the password be the
*first* thing hashed, not the last?

Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]