Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #82811

Re: Encryption - was Hello World

References (2 earlier) <54974ed7$0$12986$c3e8da3$5496439d@news.astraweb.com> <roy-2DE8D9.18502021122014@news.panix.com> <m79ghk$o5r$3@reader1.panix.com> <CAPTjJmoJNX2swk-PQyZw8=Z05=kOxhHNdtgpZ2bUEuX0c7+4bw@mail.gmail.com> <54987797.8060504@davea.name>
Date 2014-12-23 09:29 +1100
Subject Re: Encryption - was Hello World
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.17139.1419287363.18130.python-list@python.org> (permalink)

Show all headers | View raw


On Tue, Dec 23, 2014 at 6:57 AM, Dave Angel <d@davea.name> wrote:
> I figure I must be misunderstanding something in your explanation, since a
> brute-force password guesser would seem to only need four billion tries to
> (probably) crack that.
>
> 1) Are you assuming that the cracker can read the source code, but cannot
> modify the version of the code that is running?
>
> 2) Are you really doing something equivalent to:
>
> test = time_calc() - get a one-byte byte-string according to hour of the
> week
> encoded_pw = hash(password)
> if encoded_pw.startswith(test*2) and encoded_pw.endswith(test*2):
>       ---passed---
>
> I can understand that being sufficiently obscure for the pointy haired boss,
> but I figure I've got to be missing something.  A quick test with 3.2 shows
> that around a million hashes can be generated per second, so checking four
> billion is only an hour or so.  Since some of them will collide, that gives
> us something better than 50% likelihood of having found a useful pw in an
> hour.  But a few more hours and we'll most likely have it.
>
> For that matter, you must have already written such a pw finder.
>
> I'm back to figuring I'm misunderstanding what you're saying.

No, actually you're understanding that fairly well. Of course, I
didn't share the password finder script.

The code was similar in functionality to what you describe, but it
used a more obscure coding style so it wasn't obvious. Imagine using a
regex to verify that part of the hash. (It wasn't actually a regex,
but it wasn't Python either, and the significance is that it was
obfuscated code.) I don't remember exactly which hashing algorithm I
was using for this, but the password finder took about a week (running
roughly eight hours a day, while I was there) to cover most of the
required passwords.

As to the assumptions... uhh... that was never something I really
understood. I think you're probably right, and this was part of the
paranoia of "my code might be stolen". You're attempting to attribute
a level of logic to the requirements which has no supporting evidence
:)

But what you've proven above is how ineffective this technique is at
keeping out a determined, and mathematically-adept, attacker. Yaknow,
*real* security. This code was *extremely* effective at satisfying my
boss. As I said, he wasn't satisfied with the idea of just embedding a
SHA256 hash into the code; I would have used an XKCD 936 compliant
password, so brute-forcing that would take (assuming your
million-hashes-per-second figure) about a year, and that assuming the
attacker knew my exact style.

Aside: XKCD 936 overestimates the time to generate guesses (1000/sec),
which presumably means it's not talking about reversing a hash, but
attempting some other attack. (Not a big deal, since the same figure
is used for both types of password.) But it also underestimates the
password entropy of four words. Let's see. First off, a 4K corpus
isn't that hard to work with, so that potentially gives you another
four bits of entropy; in /usr/share/dict/words I have 72861 words with
no capital letters, punctuation, etc, so it wouldn't be unreasonable
to push that up even to 16 bits per word (which sounds weird, worded
like that), raising the total entropy from 44 bits to 64. And there's
no guarantee that one person's corpus will exactly match another's.
Plus, you might and might not capitalize the first letters of the
words (another bit), and you could run them together with no
punctuation, or use any common punctuation to separate them (space, or
"-:,./\" - eight easy options, 3 bits). So in theory, an attacker
might know that you're using an XKCD 936 password, but there could
still be up to 68 bits of entropy, *easily*. Even in a dedicated
personal attack, the estimate of 44 bits would be an absolute minimum,
and it's likely to cost rather more than that.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-20 23:57 +1100
  Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 00:11 +1100
  Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-20 16:13 +0000
  Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-20 08:50 -0800
  Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-20 20:39 +0200
  Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-20 22:18 +0000
  Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 21:14 -0800
    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-21 16:26 +1100
    Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 16:31 +1100
    Re: Hello World Terry Reedy <tjreedy@udel.edu> - 2014-12-21 01:31 -0500
      Re: Hello World wxjmfauth@gmail.com - 2014-12-21 00:07 -0800
    Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 17:44 +1100
      Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:44 -0800
        Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:45 -0800
          Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 10:26 +0200
        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 18:46 +1100
      Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 12:43 +0000
        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-08 23:53 +1100
          Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 13:37 +0000
          Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:06 +0200
            Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 14:21 +0000
              Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:31 +0200
                Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 15:14 +0000
          Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-08 15:11 +0100
          Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 14:51 +0000
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 01:57 +1100
              Re: Hello World cl@isbd.net - 2015-01-17 15:18 +0000
            Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 09:29 -0700
              Re: Hello World cl@isbd.net - 2015-01-17 16:47 +0000
                Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 18:06 +0000
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-17 19:47 +0100
                Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:09 -0700
                Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 13:37 +1100
                Re: Hello World Roy Smith <roy@panix.com> - 2015-01-17 22:18 -0500
                Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 14:45 +1100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:45 +1100
                Re: Hello World Roy Smith <roy@panix.com> - 2015-01-18 07:26 -0500
                Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2015-01-17 21:50 -0600
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:44 +1100
                Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-01-17 18:31 +0000
                Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 10:46 +1100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 11:04 +1100
                Re: Hello World Jason Friedman <jsf80238@gmail.com> - 2015-01-17 18:19 -0700
                Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:13 -0700
                Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 12:03 +0200
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:34 +0100
                Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 18:03 +0200
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 19:39 +0100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:10 +1100
                Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 22:50 +0200
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:32 +0100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:00 +1100
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:35 +0100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 00:57 +1100
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 16:48 +0100
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 04:08 +1100
                Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:30 +0100
        Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2015-01-08 19:02 +0200
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-09 04:11 +1100
            Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 15:10 +0000
          Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-08 10:53 -0700
            Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2015-01-08 18:57 +0000
    Re: Hello World Devin Jeanpierre <jeanpierreda@gmail.com> - 2015-01-17 16:06 -0800
  Re: Hello World Tony the Tiger <tony@tiger.invalid> - 2014-12-21 19:22 +0000
    Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 22:02 +0200
    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 09:51 +1100
      Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 18:50 -0500
        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:10 +1100
          Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 19:12 -0500
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:36 +1100
          Re: Hello World mm0fmf <none@mailinator.com> - 2014-12-22 00:20 +0000
            Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-21 18:47 -0600
            Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 02:56 +0000
          Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 10:52 +0200
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 20:01 +1100
        Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:23 +0000
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 04:25 +1100
          Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:51 +0000
          Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-22 19:05 +0000
          Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-22 13:16 -0600
            Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 19:55 -0500
              Re: Hello World sohcahtoa82@gmail.com - 2014-12-22 17:03 -0800
                Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-23 01:37 +0000
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:39 +1100
                Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-23 02:36 +0000
                Re: Hello World Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2014-12-23 12:24 -0500
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:03 +1100
          Encryption - was Hello World Dave Angel <d@davea.name> - 2014-12-22 14:57 -0500
          Re: Encryption - was Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 09:29 +1100
          Re: Encryption - was Hello World Dave Angel <davea@davea.name> - 2014-12-22 18:22 -0500
      Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-21 18:37 -0800
      Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 08:21 +0200
        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 17:33 +1100
          Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 09:46 +0200
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 18:56 +1100
        Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 20:18 +1100
          Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 11:34 +0200
            Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-22 19:38 -0800
          Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:15 -0500
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 00:23 +1100
              OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 13:09 +1100
                Re: OFF TOPIC Snow Crash [was Re: Hello World] Grant Edwards <invalid@invalid.invalid> - 2014-12-23 16:20 +0000
                Re: OFF TOPIC Snow Crash [was Re: Hello World] Rustom Mody <rustompmody@gmail.com> - 2014-12-23 08:41 -0800
                Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 12:51 +1100
                Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 14:18 +1100
                Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-24 11:50 +0000
                Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:34 +1000
                Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:27 +1000
                Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-26 15:13 +1100
                Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-26 10:03 +0000
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 15:26 +0200
              Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:41 -0500
        Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:13 -0500
          Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 02:22 +1100
            Re: Hello World Jussi Piitulainen <jpiitula@ling.helsinki.fi> - 2014-12-22 17:36 +0200
              Re: Hello World Chris Warrick <kwpolska@gmail.com> - 2014-12-22 17:03 +0100
            Re: Hello World Skip Montanaro <skip.montanaro@gmail.com> - 2014-12-22 09:39 -0600
              Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 03:54 +1100
            Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:48 +0000
        Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:26 +0000
    Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:18 +0000
      Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-22 19:05 +0000

csiph-web