cryptography - How long to brute force a salted SHA-512 hash? (salt provided) -

-

here algorithm in java:

public string gethash(string password, string salt) throws exception {     string input = password + salt;     messagedigest md = messagedigest.getinstance(sha-512);     byte[] out = md.digest(input.getbytes());     return hexencoder.tohex(out); }

assume salt known. want know time brute force when password dictionary word , when not dictionary word.

in case, breaking hash algorithm equivalent finding collision in hash algorithm. means don't need find password (which preimage attack), need find output of hash function equal hash of valid password (thus "collision"). finding collision using birthday attack takes o(2^n/2) time, n output length of hash function in bits.

sha-2 has output size of 512 bits, finding collision take o(2^256) time. given there no clever attacks on algorithm (currently none known sha-2 hash family) takes break algorithm.

to feeling 2^256 means: believed number of atoms in (entire!!!) universe 10^80 2^266. assuming 32 byte input (which reasonable case - 20 bytes salt + 12 bytes password) machine takes ~0,22s (~2^-2s) 65536 (=2^16) computations. 2^256 computations done in 2^240 * 2^16 computations take

2^240 * 2^-2 = 2^238 ~ 10^72s ~ 3,17 * 10^64 years

even calling millions of years ridiculous. , doesn't better fastest hardware on planet computing thousands of hashes in parallel. no human technology able crunch number acceptable.

so forget brute-forcing sha-256 here. next question dictionary words. retrieve such weak passwords rainbow tables used traditionally. rainbow table table of precomputed hash values, idea if able precompute , store every possible hash along input, take o(1) given hash , retrieve valid preimage it. of course not possible in practice since there's no storage device store such enormous amounts of data. dilemma known memory-time tradeoff. able store many values typical rainbow tables include form of hash chaining intermediary reduction functions (this explained in detail in wikipedia article) save on space giving bit of savings in time.

salts countermeasure make such rainbow tables infeasible. discourage attackers precomputing table specific salt recommended apply per-user salt values. however, since users not use secure, random passwords, still surprising how successful can if salt known , iterate on large dictionary of common passwords in simple trial , error scheme. relationship between natural language , randomness expressed entropy. typical password choices of low entropy, whereas random values contain maximum of entropy.

the low entropy of typical passwords makes possible there relatively high chance of 1 of users using password relatively small database of common passwords. if google them, end finding torrent links such password databases, in gigabyte size category. being successful such tool in range of minutes days if attacker not restricted in way.

that's why hashing , salting alone not enough, need install other safety mechanisms well. should use artificially slowed down entropy-enducing method such pbkdf2 described in pkcs#5 , should enforce waiting period given user before may retry entering password. scheme start 0.5s , doubling time each failed attempt. in cases users don't notice , don't fail more 3 times on average. slow down malicious outsider trying attack application.


Comments

Post a Comment

Popular posts from this blog

linux - Using a Cron Job to check if my mod_wsgi / apache server is running and restart -

-
my group , running server based upon django , uses mod_wsgi run apache server. not working on project after over, attempting set cronjob similar functionality check if apache server has shut down(system restart or power failure), , if has, restart server me. i've found documentation on how check if apache server down , restart server if is, our server uses https , our start command pretty verbose. can use functionality provided in these examples: https://askubuntu.com/questions/277389/cron-job-to-restart-apache https://www.digitalocean.com/community/tutorials/how-to-use-a-simple-bash-script-to-restart-server-programs or need more complicated process make happen? the command use start server is python manage.py runmodwsgi --host 0.0.0.0 --port 8001 --https-port 8000 --ssl-certificate (certificate location) --server-name (domain name) i'm pretty new linux , using both mod-wsgi apache appreciated. you better off using --setup-only option mod_wsgi-expres
Read more

actionscript 3 - TweenLite does not work with object -

-
i got following problem: i have object called tempscore game. this object blitted canvas renderer via copypixels method. object not display object. it's score-object (self made). score-object extends object called basicblitarrayobject. basicblitarrayobject extends eventdispatcher (therefore no display object). i tried apply several different tweenlite-plugins tempscore-object (i.e. transformaroundcenter, colormatrixfilter, etc.). nothing happens. absolutely nothing. sometimes error messages (when plugin requires display object , object not display object). far good. according greensock (maker of tweenlite) engine can tween numeric property of object. when plugin transformaroundcenter requires display object tweening have modify plugin working non-display object (tempscore). can't because it's way hard me. my game rests upon code: http://www.8bitrocket.com/book/ch11_blastermines.zip try apply tweenlite object called tempmine inside game class blastermines.
Read more

jQuery Ajax Render Fragments OR Whole Page -

-
i'm in throes of building application wraps mess of legacy code. page working on, need substitute fragment divs constructed on back-end -- or else need replace entire page altogether. idea there dynamically controlled flow needs satisfied before can forward legacy product. substituting fragments works fine, seen in below my_body_content swap. trouble comes when i'm trying render not fragment, whole page, in "body" swap. @ point page goes blank. i want similar errors returned server. want nice rest 404 error messages displayed on screen, legacy-product 404s show in legacy-product 404 page. yes, requirements project weird. that's not problem can fix. here's jquery invocation, names changed protect guilty: $.ajax({ url: "places/things", type: "post", data: json.stringify(somebadassobject), datatype: "text", accepts: "text/html", contenttype: "application/json; charset=
Read more