Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Securing encrypted data in RAM vs MSSQL

Re: Securing encrypted data in RAM vs MSSQL

From: Ivan Krstic <krstic_at_fas.harvard.edu>
Date: Fri, 02 Jul 2004 15:45:59 +0100

Bénoni MARTIN wrote:
> Humm...in my crypto courses, I learnt that encrypting several times a
> password does not enhance the security level of it. Is it the same
> for a hash? I don't know...Somene has a clue? And I think that
> hashing 50 times a password would slow down the hacker...wut us as
> well! :)

Because of the inherent weaknesses of non-perfect hash functions
(partial message collisions and length extensions) you are well advised
to never use a hash function once. Instead, using h_dbl(m) := h(h(m)||m)
where h(m) is the hash function with plaintext m is a better option as
it is believed it solves both of the weaknesses.

Of course, this precludes you from being able to hash a datastream on
the fly, so if that's important, you have to find a better way to
protect yourself.

Cheers,
Ivan.
Received on Jul 02 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]