OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] PasswordDigest in Username profile


I see your point. If the n/c comprised 8 32-bit words, then you would have a 10% reduction in labor. Does anyone know how long the NIST believes it would take to brute-force a has on a single 512 block?


-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com]
Sent: Friday, September 05, 2003 10:50 AM
To: Eric Gravengaard
Cc: [wss oasis] (E-mail)
Subject: Re: [wss] PasswordDigest in Username profile

> I don't understand your comment. Why would SHA-1( password + nonce + created ) be
 > "harder for crackers" than SHA-1( nonce + created + password )?

If I were doing a brute-force attack, I'd have to do the whole SHA1 
operation for p/n/c for each guess.  If the format is n/c/p, then I can 
compute n/c, save the digest state, and then only "restart" the hash 
with each password guess.

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]