Re: Encrypted column

From: "Marko Kreen" <markokr(at)gmail(dot)com>
To: "Brian Mathis" <brian(dot)mathis(at)gmail(dot)com>
Cc: "Tino Wildenhain" <tino(at)wildenhain(dot)de>, "Ranieri Mazili" <ranieri(dot)oliveira(at)terra(dot)com(dot)br>, pgsql-general(at)postgresql(dot)org, pgsql-sql(at)postgresql(dot)org
Subject: Re: Encrypted column
Date: 2007-06-05 16:35:29
Message-ID: e51f66da0706050935u38a08566v57f1005b724315dd@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-sql

On 6/5/07, Brian Mathis <brian(dot)mathis(at)gmail(dot)com> wrote:
> pgcrypto also supports md5, so I'm not sure what you're referring to
> here.

digest(psw, 'md5') vs. crypt(psw, gen_salt('md5'))

> As I already mentioned, *salting* before you hash is a very
> important step. I'm not sure if you saw that in my post. Without a
> salt, it's trivial to generate a list of all combinations of md5'd
> strings and their results, up to reasonable lengths. Then it would be
> very simple to look up each hash and get the original text. With a
> salt, you need to generate all possible md5s for all possible salts --
> a much harder task.

I dont think its practical method tho'. Rather, when doing
dictionary-based or bruteforce attack, then if hashes do not
have salts you attack them all at once.

But if they have salts then for each word you try you need to
hash it for each salt. Which basically gives the effect that
each hash needs to be attacked separately.

In case of attacking one hash the salt does not matter,
only the algorithm counts then. In that case as i said,
event salted md5 is weaker than des-crypt.

--
marko

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Marco Colombo 2007-06-05 16:39:52 Re: PITR Base Backup on an idle 8.1 server
Previous Message veejar 2007-06-05 16:33:58 Join field values

Browse pgsql-sql by date

  From Date Subject
Next Message Gerardo Herzig 2007-06-05 18:01:26 Re: current_date / datetime stuff
Previous Message Tino Wildenhain 2007-06-05 16:16:09 Re: Encrypted column