[Cryptography] eBay hack
Phillip Hallam-Baker
phill at hallambaker.com
Mon May 26 23:18:17 EDT 2014
On Fri, May 23, 2014 at 10:49 PM, Stuart Longland
<stuartl at longlandclan.yi.org> wrote:
> On Fri, 23 May 2014 02:55:18 +0200, R. Hirschfeld wrote:
>
>> According to the New York Times, the eBay passwords were salted and
>> hashed:
>>
>> http://www.nytimes.com/2014/05/22/technology/ebay-reports-attack-on-its-
> computer-network.html
>>
>> But you might not trust the New York Times:
>>
>> http://www.dailykos.com/story/2014/05/15/1299692/-The-New-York-Times-
> Busted-Lying-Through-its-Teeth
>>
>> (an exaggerated indictment, but the comparison with the Washington
> Post's
>> reporting of the same story is remarkable).
>
>
> There is a claim by a comment on The Register that the following is the
> algorithm used, and that over the years they've changed hashing
> algorithms:
>
> SHA-512(RSA-Encrypt(RSA-Encrypt(Password + Username) + Password))
> -- http://forums.theregister.co.uk/forum/containing/2196088
>
> Obviously, an anonymous source, and we've got no real way of proving it
> right or wrong. Apparently the RSA key is thrown away, so exactly how
> you'd go about re-generating the data for comparison to the SHA-512 hash
> is anyone's guess, so I'm a little dubious of the above.
If true, all EBay would need to do to make their system secure against
loss of the database would be to keep the public key used to encrypt
the data secret.
Which means that this is arguably prior art for the HMAC scheme I and
others proposed (albeit a slow one). Not revealing the public key is
arguably obvious because EBay never published it.
Of course date of publication... if it was never published its not prior art...
Slow is only good if you are not using some form of trustworthy
hardware to lock up the key :)
More information about the cryptography
mailing list