Understanding more about hashing
Written on 11 February 2015, 11:21pm
Brute force vs dictionary attack vs rainbow tables
Brute force: least efficient, tries all the possible values.
Dictionary attack: tries a predefined list of values
Rainbow tables: contain pre-computed hashed values. If a single salt per db is used, then the pre-computed hashed values have to be updated (to include the salt). If a single salt per password is used, then the pre-computed hashed values have to be updated for each password.
Note: rainbow table can only be used if the hashed values are available.
1. Collision resistance: it should not be realistically possible to find two messages giving the same hash
2. Pre-image resistance: given the hash, it should not be realistically possible to obtain the message (we ask an adversary, given only H(m), to find m or some m′ such that H(m′) = H(m) )
3. Second pre-image resistance: given both the hash and the message, it should not be realistically possible to obtain another message with the same hash.
More here and here
Hashing is not compression (you can’t go back to the original string)
Hashing is not encryption (for encryption you need a key)
What are you hashing
– not sensible data: use MD5/SHA family of hashing functions
– sensible data (like passwords): PBKDF2 (*), bcrypt or scrypt
This is about transforming a password into a key that can be used for encryption. Think about encrypting a file with a password.
The output of a password hashing function is acceptable as a symmetric key, after possible truncation to the required size.
LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key.
– LastPass user manual
(*) PBKDF2 is in fact a Key derivation function, not a hashing function.
Written by Dorin Moise (Published articles: 259)