| Subject | Re: [Firebird-general] Security paranoia |
|---|---|
| Author | Lester Caine |
| Post date | 2014-02-07T18:17:05Z |
Dimitry Sibiryakov wrote:
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
> 07.02.2014 15:46, Lester Caine wrote:The server stack is running on Linux ;) I prefer to serve users in real time ...
>> The particular 'problem' PHP is trying to fix is one where the time it takes to
>> decode a hash can give you enough information to identify the password letter by
>> letter. SO the fix is to ensure that it takes either a random time, or the same
>> time which ever letter is being handled. At least I THINK that is what is being
>> discussed;) I think that with Firebird it's probably the HASH() performance
>> that matters? but I'm not sure about hacking the database passwords ...
>
> At first, "decoding a hash" is impossible. That's a basic thing for all crypto hashes.
> At second, calculation of a block hash (to which used by Firebird SHA-1 belongs to)
> does not depend on data length as long as whole data fit in one block.
> At third, to measure time of this operation it should be performed on a real-time OS,
> which Windows isn't.
> So, if your "security expert" manage to success in time-based attack, I would like toIs http://en.wikipedia.org/wiki/Timing_attack simply a piece of fiction?
> see it.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk