Originally published at: https://boingboing.net/2017/12/08/explainer-video-shows-how-secu.html
…
That doesn’t matter. Just pass a law that it has to have a back door. How many Sagans is that worth?
Except you don’t need the source text, just a source text which happens to result in the same hash.
Does sha256 have clash issues? I think sha1 had.
All hashes have clashes.
An even easier way to imagine the magnitude of 2256 is this:
Think of a daisy.
Now think of 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,
639,936 of them.
THAT’S how big that is.
Hashing is neat. It has lots of useful properties. I love it. It seems magical.
Unfortunately, magic assumptions lead to bad outcomes. For years the industry has assumed that magic hashes will protect us from the bad man. This has led us to several widespread security failures. For example:
- We assumed that the magic of hashing would turn insecure passwords into secure hashes. This assumption caused people to fail to protect password hashes. The reality is, hashing is a transformation. If you feed insecure info in, you get insecure info out. If you expose your password hashes, and the passwords can be guessed, then the hashes can be cracked. This attack is called: “Rainbow Tables”. Salting the password hashes is another transformation. If you expose your password hashes AND your salt, your hashes are still only slightly more secure than the original passwords.
- We assumed that the magic of hashing would bless and purify an authentication token and protect it from being counterfeit. This assumption caused people to build security systems based on hashes. The reality is, a hash is a number. It can be copied like any other number. It is as easy to copy a hashed security token as it is to copy any other number. This attack is called “Pass-The-Hash”.
I’d like to think that the industry has moved beyond these mistakes, but these attack techniques still succeed more than 90% of the time.
I think hashes are magic. I love all the wondrous algorithms that use hashing to achieve magical results. I love that the password hashes in my Linux box are SHA512 with huge salt. But, I protect my password hashes with the same diligence that I protect my passwords.
You’re right. There have to be collisions. Which means you wouldn’t know for sure if you’ve used the right source text.
Thank you for this informative post. I too find something “magical” about hashing. Something else that seems magic? Prime factorization in polynomial time using quantum computing. Things are going to go upside down really fast if this sort of thing can be applied to hashes. Not something I know a lot about though, just wondering what others’ thoughts are
I mean, people have already anticipated that day eventually coming, there’s quantum-proof encryption just not currently in use since it seems like no attacker is likely to have a 256-bit quantum computer. Even once they do, you can just start using keys longer than 256 bits and suddenly their quantum computer can’t run grover’s algorithm on the problem.
Except that ‘I acknowledge that you are a genius’ is probably a more likely candidate than is ‘T gyrql 98 jilly poop s67re’. Unless of course you’re from G’Oth, and speak Wibble.
The text confuses ‘character’ with ‘hex digit’.
Also assumes perfect hashing algorithms.
This topic was automatically closed after 5 days. New replies are no longer allowed.