Comments on: Don’t Hash Your Secrets, Here’s why in Python http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/ Mon, 16 Aug 2010 10:05:24 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Steve http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/comment-page-1/#comment-2465 Steve Mon, 15 Mar 2010 05:04:13 +0000 http://www.huyng.com/?p=512#comment-2465 add a timestamp and a salt to the hash to avoid this problem add a timestamp and a salt to the hash to avoid this problem

]]> By: Jim Hill http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/comment-page-1/#comment-2458 Jim Hill Sat, 13 Mar 2010 08:09:54 +0000 http://www.huyng.com/?p=512#comment-2458 A message's hash code is a summary signature, not an authoritative signature. It's a summary signature in that it unquestionably goes with that message and all-but-unquestionably goes with only that message, presuming only that the message makes any kind of sense at all. It isn't any kind of authoritative signature in that it adds no meaning at all. Authoritative signatures do add information: they (often implicitly) mean whatever the signer intends them to mean, e.g. binding the signer to an agreement or promise or authorization, or attesting to a set of facts. A message’s hash code is a summary signature, not an authoritative signature.

It’s a summary signature in that it unquestionably goes with that message and all-but-unquestionably goes with only that message, presuming only that the message makes any kind of sense at all.

It isn’t any kind of authoritative signature in that it adds no meaning at all. Authoritative signatures do add information: they (often implicitly) mean whatever the signer intends them to mean, e.g. binding the signer to an agreement or promise or authorization, or attesting to a set of facts.

]]> By: Huy http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/comment-page-1/#comment-2228 Huy Wed, 03 Feb 2010 16:07:08 +0000 http://www.huyng.com/?p=512#comment-2228 Hey Pedro, You're right, you <em>do</em> need to know the length of the original string. Often times this attack is seen in online companies that sign their API calls with : md5(secret + message). Well, the "secret" is often uniform in length and can usually be deduced from the online documentation. The "message" is usually sent in clear text over http. Having both of these, the original_len = secret_len + message_len. Also, great point about the brute force, that would work as well! Hey Pedro,

You’re right, you do need to know the length of the original string. Often times this attack is seen in online companies that sign their API calls with : md5(secret + message). Well, the “secret” is often uniform in length and can usually be deduced from the online documentation. The “message” is usually sent in clear text over http. Having both of these, the original_len = secret_len + message_len.

Also, great point about the brute force, that would work as well!

]]> By: Pedro Assuncao http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/comment-page-1/#comment-2226 Pedro Assuncao Wed, 03 Feb 2010 07:36:07 +0000 http://www.huyng.com/?p=512#comment-2226 You assume to know the size of the original message, right? Ok, never mind, i just realized you can basically run it in a brute force manner to eventually get the original message. Good stuff :) You assume to know the size of the original message, right? Ok, never mind, i just realized you can basically run it in a brute force manner to eventually get the original message.

Good stuff :)

]]> By: 29a http://www.huyng.com/archives/dont-hash-your-secrets-heres-why-in-python/512/comment-page-1/#comment-2220 29a Tue, 02 Feb 2010 13:08:06 +0000 http://www.huyng.com/?p=512#comment-2220 Cool. I didn't think of that one. Another good reason to use well known method (hmac in that case) instead of rolling your own. Cool. I didn’t think of that one. Another good reason to use well known method (hmac in that case) instead of rolling your own.

]]>