[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] PasswordDigest in Username profile
Rich, I see your point. If the n/c comprised 8 32-bit words, then you would have a 10% reduction in labor. Does anyone know how long the NIST believes it would take to brute-force a has on a single 512 block? -Eric -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Friday, September 05, 2003 10:50 AM To: Eric Gravengaard Cc: [wss oasis] (E-mail) Subject: Re: [wss] PasswordDigest in Username profile > I don't understand your comment. Why would SHA-1( password + nonce + created ) be > "harder for crackers" than SHA-1( nonce + created + password )? If I were doing a brute-force attack, I'd have to do the whole SHA1 operation for p/n/c for each guess. If the format is n/c/p, then I can compute n/c, save the digest state, and then only "restart" the hash with each password guess. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]