IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [algorithm]

Algorithm is a set of step-by-step operations to be performed including calculations, data processing, and automated reasoning.

156 questions
543
votes
11 answers

Is my developer's home-brew password security right or wrong, and why?

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not…
nallenscott
  • 4,699
  • 3
  • 12
  • 8
41
votes
2 answers

Salted hashes vs HMAC?

Most of discussions involving access credentials include references to "hashing salted passwords". Is this another way to referring to the HMAC algorithm or a totally different operation? Different or not, why not using HMAC since this is easily…
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
32
votes
5 answers

SSH - If Eve has the passphrase and public key, can she derive the private key?

I have used ssh-keygen for creating an RSA 4096-bit SSH private and public key pair. I used a passphrase for the private key. If an attacker, Eve, knows the passphrase in addition to the public key: Can they derive the private key? - I presume yes…
unseen_rider
  • 423
  • 4
  • 10
22
votes
7 answers

Why not mix hashes?

To make hashes harder to target by specialized hardware, I intuitively imagine that mixing a set of different hash algorithms should provide additional strength. For simplicity lets assume Hash1 is a number of iterations of SHA256, Hash2 is bcrypt…
Peter
  • 3,620
  • 3
  • 13
  • 24
20
votes
4 answers

Should I use own constants when using well known hashing algorithms?

I understand that it is important to use well known and well tested hashing algorithms instead of designing my own. For such there often are reference implementations available, which initialize the needed constants with manually picked random…
danijar
  • 303
  • 2
  • 7
15
votes
1 answer

Why is asymmetric encryption less efficient than symmetric encryption?

It's common knowledge that asymmetric encryption is in general much more expensive to compute than symmetric encryption, thus common practice is to use asymmetric encryption to establish a symmetric key for bulk data exchange. I'm not finding any…
Izz
  • 153
  • 1
  • 4
15
votes
1 answer

Understanding brute-forcing algorithms

I've been reading up on brute-forcing techniques and possible methods of prevention, but there is one issue that I haven't been able to find a clear answer to. The way I understand it, a 'simple' brute-forcing attack for a password with 4 numbers…
akseli
  • 261
  • 2
  • 6
14
votes
4 answers

Implementation of diceware: do I have to simulate dice roll?

I am creating a small utility for generating passwords based on the diceware method. At the moment I am very close to the algorithm of real diceware - i.e. I simulate rolling dice n-times to get a single word from the list. I am wondering though if…
Maciek Talaska
  • 249
  • 2
  • 5
11
votes
1 answer

Is knowing the decrypted and encrypted data enough to find the key?

Let's say an attacker knows the encrypted content, the decrypted content and the algorithm used: can he get the key that was used to encrypt the content or does it make it easier to find the key out? I think that this may vary between symmetric and…
MinecraftShamrock
  • 267
  • 1
  • 3
  • 8
10
votes
5 answers

Is there an asymmetric encryption algorithm that maintains the length of the plaintext?

I want to protect some registers by encrypting them without providing additional memory space. Is there a encryption algorithm that will maintain the length of the data to be encrypted? (i.e. plaintext.length=ciphertext.length)
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
10
votes
2 answers

Unseen.is encryption claims revisited with their proprietary, patented "xAES" algorithm

I had asked last year about the encryption claims by the web service called https://unseen.is. The very same service that had claims of "beyond army level encryption", "4096 bit keys" etc. This is the response from their support: We don't use IKE…
Harry Greenwald
  • 131
  • 5
9
votes
4 answers

How can we factor Moore's law into password cracking estimates?

How would we go about factoring Moore's law into exceedingly long password cracking estimates? Let's say we've got a 12 character password containing mixed-case alpha characters and numbers, i.e. a-z, A-Z and 0-9. The keyspace for such a password is…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
8
votes
5 answers

How to prevent pay per show/click abuse?

We have a webapp. 3rd party websites put our banners on their pages (banner is a snippet of HTML). They are paid for it using "Pay per click" or "Pay per show" methods. So 3rd party website's owners are interested in abusing this payment methods by…
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
8
votes
1 answer

Identifying an unknown hash

During some of my research work I encountered an unknown hashed string. What I am curious about is the algorithm used to generate it. A factor that makes it interesting - the string contains an asterisk, that acts as some sort of a delimiter. Here…
Den
  • 205
  • 2
  • 5
8
votes
2 answers

Why is MD5 considered a vulnerable algorithm?

I know that MD5 is the most vulnerable hashing algorithm, and particularly vulnerable to Collisions. But the collision vulnerability is not very risky and somebody might use that as an advantage, but that's with sheer luck. OK, let's say I store…
mzcoxfde
  • 585
  • 2
  • 5
  • 12
1
2 3
10 11