| Subject | Re: [Firebird-general] Security paranoia |
|---|---|
| Author | Dimitry Sibiryakov |
| Post date | 2014-02-07T15:05:09Z |
07.02.2014 15:46, Lester Caine wrote:
At second, calculation of a block hash (to which used by Firebird SHA-1 belongs to)
does not depend on data length as long as whole data fit in one block.
At third, to measure time of this operation it should be performed on a real-time OS,
which Windows isn't.
So, if your "security expert" manage to success in time-based attack, I would like to
see it.
-- WBR, SD.
> The particular 'problem' PHP is trying to fix is one where the time it takes toAt first, "decoding a hash" is impossible. That's a basic thing for all crypto hashes.
> decode a hash can give you enough information to identify the password letter by
> letter. SO the fix is to ensure that it takes either a random time, or the same
> time which ever letter is being handled. At least I THINK that is what is being
> discussed;) I think that with Firebird it's probably the HASH() performance
> that matters? but I'm not sure about hacking the database passwords ...
At second, calculation of a block hash (to which used by Firebird SHA-1 belongs to)
does not depend on data length as long as whole data fit in one block.
At third, to measure time of this operation it should be performed on a real-time OS,
which Windows isn't.
So, if your "security expert" manage to success in time-based attack, I would like to
see it.
-- WBR, SD.