Hacker News new | past | comments | ask | show | jobs | submit login

Pass-phrases + minor misspellings are typically non-crackable with billions^x years, barring dictionary attacks (stupidity will always exist). There's no "sophisticated brute force" that would speed it up measurably.

Granted, password-hashing reduces the keyspace, often to something possibly-computable to find a collision. But you're still talking up to 36^40 (for SHA1) attempts (that's 1e62, btw).




I am not saying that you go through every permutation. What I meant was something like Turing's tricks. The naval Engima was consistently cracked in a short time by the bombe because they learnt that at a particular time of day all ships sent weather reports. Further they were always signed 'Hail Fuhrer/Hitler!". I am pretty sure that modern equivalents must exist in the implementation of cryptography today.

The irony is that I am not qualified to comment and the people who are qualified to do so are bound by secrecy not to do so.


There you're talking a statistical analysis of a code, specifically one based on a "code book", which are vulnerable to attacks like this. Hashes are designed to prevent this by being (ideally) evenly distributed based on input, and salts destroy analysis across multiple clients. To perform that sort of attack, your hash function would have to be "cracked" in some way, like MD5 is (you can create collisions easily - values which resolve to the same hash), and thus almost totally worthless.


Thanks for correcting me.

By the way, can you recommend any way for me to pick up the fundamentals of modern cryptography?


I wish I could, actually. I've just been picking it up by reading random articles for a couple years now, writing some Rails code, and looking things up (details / best-practices) as I go. Not a route I'd suggest in general, but it works if you're focusing on other things.

What got me started & revealed a lot of other cryptography techniques was to look into how Diffie-Hellman[1] and RSA[2] work (they're not too complicated, really), understand what hashing functions do, if not necessarily how, and then look around at news of exploits / attacks. A lot to understanding secure code / techniques is understanding how the attacks work, and a lot of the news around them contain surprisingly-good explanations.

Anyone else have suggestions? I could probably use them too.

[1]: http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange [2]: http://en.wikipedia.org/wiki/Rsa


That depends on what you want to do with it.

I found Katz & Lindell's Modern Cryptography, a textbook written by active research cryptographers, quite good. The classical "applied" work is Schneier's Applied Cryptography", but note there are a lot of issues with that work. His newer book, "Cryptography Engineering", is supposedly better.

Goldreich's Foundations of Cryptography is quite solid, but requires quite a bit of background and is very theoretical.


Look at HN user tptacek's posts. He makes a living at crypto and frequently posts about good practice or resources.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: