| From: | Neil Saunders <n(dot)j(dot)saunders(at)gmail(dot)com> |
|---|---|
| To: | "Mark R(dot) Dingee" <mark(dot)dingee(at)cox(dot)net> |
| Cc: | pgsql-sql(at)postgresql(dot)org, mario(dot)splivalo(at)mobart(dot)hr |
| Subject: | Re: PGSQL encryption functions |
| Date: | 2005-11-02 14:04:05 |
| Message-ID: | ddcd549e0511020604g32d6556fo7864f03f2373578e@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
OK, you're not really "breaking" md5. If the attacker already knows
the information being encrypted, then all you're testing is the
concatenation order- Surely the information is more important than the
order? md5 is a one way hash function, and so using an alternate
algorithm will provide no benefit whatsoever; you're just running
through 9 permutations.
Kind Regards,
Neil.
On 11/2/05, Mark R. Dingee <mark(dot)dingee(at)cox(dot)net> wrote:
> Mike & Tom,
>
> The script I'm using to "break" md5 presumes that the cracker knows the 3
> elements being concatenated together to form the plain-text sting which is
> then passed into md5. The method I'm using then begins running through
> various permutations. Do you believe that the methodology is appropriate or
> that I'm being a bit paranoid?
>
> Thanks
>
> On Tuesday 01 November 2005 05:13 pm, Tom Lane wrote:
> > "Mark R. Dingee" <mark(dot)dingee(at)cox(dot)net> writes:
> > > md5 works, but I've been able to
> > > brute-force crack it very quickly,
> >
> > Really? Where's your publication of this remarkable breakthrough?
> >
> > regards, tom lane
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 1: if posting/reading through Usenet, please send an appropriate
> > subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> > message can get through to the mailing list cleanly
>
> On Wednesday 02 November 2005 04:26 am, Mario Splivalo wrote:
> > On Tue, 2005-11-01 at 17:13 -0500, Tom Lane wrote:
> > > "Mark R. Dingee" <mark(dot)dingee(at)cox(dot)net> writes:
> > > > md5 works, but I've been able to
> > > > brute-force crack it very quickly,
> > >
> > > Really? Where's your publication of this remarkable breakthrough?
> >
> > I'd say you can't bruteforce md5, unless you're extremley lucky.
> > However, md5 is easily broken, you just need to know how to construct
> > the hashes.
> >
> > One could switch to SHA for 'increaased' security.
> >
> > Although I don't think he'd be having problems using MD5 as he described
> > it. I'd also lilke to see he's example of brute-force 'cracking' the MD5
> > digest.
> >
> > Mike
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Moritz Bayer | 2005-11-02 14:23:18 | Re: function, that uses different table(names) |
| Previous Message | A. Kretschmer | 2005-11-02 13:56:05 | Re: function, that uses different table(names) |