Hacker News new | past | comments | ask | show | jobs | submit login

Could the revelation of the encryption used give the attackers the hint they need to break it open?



I'd say its possible, but unlikely; and you'd hope its not a major factor in practice.

When you assume that the attackers would have, or could get, at least one account which they know the password for, then if the hashing scheme is something they'll be able to crack en masse, then they are probably going to be able to figure out what the hashing scheme is, from their known plaintext.


In general, if you are depending on a secret cryptographic algorithm, then you are doing something wrong. Cryptographic algorithms are horribly complicated, with many attack vectors you need to know, and prevent. Chances are, someone writing their own code isn't going to make a secure system. By using a known, secure system, it doesn't actually matter if people know what it is. A known system has been tested, and deemed to be 'secure'. If knowing the name did mean they could exploit it, then it probably isn't a good system to be using in the first place.

As an example, here is an attack you may not have considered. If you wanted to make an authentication system, you would want to compare a password with a stored password (or hash). Most people would do a byte by byte comparison of the passwords (or hashes). The problem is, a byte by byte comparison takes longer for a correct password (even if you use hashes), as the incorrect answer exits on the first compare failure. This is called a timing attack, and is an example of a side channel. Most people wouldn't even know that such an attack existed. This is why you want to use a known algorithm, because the people who wrote them know these kinds of attacks. So if people know your secure algorithm, they shouldn't be able to exploit that knowledge.

Here are two links posted here recently, which show these concepts very well. The third is an hour talk about cryptography in general, and I highly recommend it.

http://carlos.bueno.org/2011/10/timing.html

http://syhw.posterous.com/two-amusing-side-channel-attacks

http://fosslc.org/drupal/content/everything-you-need-know-ab...


No.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: