| Subject | Re: [Firebird-general] Security paranoia |
|---|---|
| Author | Dimitry Sibiryakov |
| Post date | 2014-02-07T20:23:35Z |
07.02.2014 20:44, Lester Caine wrote:
between system response time and the distance between attempted password and right
password in any functional space. I can imagine encrypting algorithm for which it is true,
but SHA1 used in Firebird or MD5 used in Linux are different. They work not with every
symbol of password and key separately, but with whole fixed size array of bytes, filling
the rest of the buffer with zeros or salt. In this case (as I already said) there is no
correlation between working time and buffer content (O(N) = N/sizeof(buffer) which for
N<sizeof(buffer) == 1), so timing attack is not possible.
I would say that your passwords are out of danger.
But this this kind of attack is popular in Hollywood because it looks good in TV, so I
don't wonder that there are people who believe in its effectiveness. They just watched
"Hackers" too much.
--
WBR, SD.
> but I don't have the knowledge toOk, let's look at theory: to let this attack to be possible there must me a correlation
> disprove that this type of attack IS currently happening in real life?
between system response time and the distance between attempted password and right
password in any functional space. I can imagine encrypting algorithm for which it is true,
but SHA1 used in Firebird or MD5 used in Linux are different. They work not with every
symbol of password and key separately, but with whole fixed size array of bytes, filling
the rest of the buffer with zeros or salt. In this case (as I already said) there is no
correlation between working time and buffer content (O(N) = N/sizeof(buffer) which for
N<sizeof(buffer) == 1), so timing attack is not possible.
I would say that your passwords are out of danger.
But this this kind of attack is popular in Hollywood because it looks good in TV, so I
don't wonder that there are people who believe in its effectiveness. They just watched
"Hackers" too much.
--
WBR, SD.