hashes on restricted domains: random functions or permutations?

Anne & Lynn Wheeler lynn at garlic.com
Wed Oct 18 00:26:08 EDT 2006


Travis H. wrote:
> So I was reading about the OTP system (based on S/Key) described in RFC
> 2289.
> It basically hashes a secret several times (with salt to individualize
> it) and stores
> the value that the correct password will hash to.
> 
> Now my question is, if we restrict ourselves to, say, 160-bit inputs, is
> SHA-1
> a permutation, or do collisions exist?  If there are collisions, then
> iterating
> the hash could lead to fewer possible values each time, potentially
> converging
> on a set of inputs that form a permutation and are closed under
> composition.
> 
> Is that correct?  What are the expected sizes of such sets?
> Is it worth worrying about?

posts discussing other kinds of attack on 2289 ... assuming the original
circumstances that 2289 is supposed to address; most of the "fixes" for
the attacks ... in turn, negate/invalidate the original
purpose/justification for 2289
http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2003n.html#1 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2003n.html#2 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2003n.html#3 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2005o.html#0 The Chinese MD5 attack
http://www.garlic.com/~lynn/2005t.html#28 RSA SecurID product
http://www.garlic.com/~lynn/2005t.html#31 Looking for Information on
password systems
http://www.garlic.com/~lynn/2006d.html#41 Caller ID "spoofing"

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list