in reply to Re: Would Like Recommendation for an SHA256 module
in thread Would Like Recommendation for an SHA256 module

Are there people who work with cryptographic tools and have access to a fair amount of computer horsepower who are also likely to be motivated to attack the web site of your homeowners association?

Well, there's that evil homeowners association just down the road... They're so competitive... ;)

Seriously, I know exactly what you're saying; in my case any kind of encryption at all is probably more than enough. After all, there's no money or secrets involved.

I was fat, dumb and happy using MD5 crypt until during testing, I noticed that only the first 8 characters of passwords seemed to matter. I found info on the web that MD5, (or at least the implementation I'm using, Digest::MD5), crypt only uses the first 8 characters. <update> I considered using MD5 instead of crypt. </update> Further searching revealed that MD5 and SHA1 have been broken, and if you're coding something new, you might as well go with SHA256. Since I havent't released my script yet, and since I want the whole password to count, I figured I should go with SHA256. And you're right, another reason is for me to learn.

My main concern here is if these modules implement SHA256 properly.

Thanks syphilis for pointing out my mistake

TheEnigma

Replies are listed 'Best First'.
Re^3: Would Like Recommendation for an SHA256 module
by syphilis (Archbishop) on Aug 01, 2006 at 12:28 UTC
    I noticed that only the first 8 characters of passwords seemed to matter

    Have you got some code that demonstrates that ? Here is some code that negates that statement: 
    use warnings;
use strict;
use Digest::MD5 qw(md5_hex);

my $pass1 = '12345678zy';
my $pass2 = '12345678ab';
my $pass3 = '12345678mn';

print md5_hex($pass1), "\n", md5_hex($pass2), "\n", md5_hex($pass3), "
+\n";

    [download]
    For me, it produces:

    653080cea849964e8bd43ef33355c01b
    b86ffaf7de29e8aa87785572741025f3
    25c8c10a5673749bb097eea0e407addb

    I defy anybody to come up with an MD5 collision for any strings of equal length.

    Cheers,
    Rob
[reply]
[d/l]
      use warnings;
use strict;

use Digest::MD5 qw( md5 );

my $text1 = "\xA6\x64\xEA\xB8\x89\x04\xC2\xAC"
          . "\x48\x43\x41\x0E\x0A\x63\x42\x54"
          . "\x16\x60\x6C\x81\x44\x2D\xD6\x8D"
          . "\x40\x04\x58\x3E\xB8\xFB\x7F\x89"
          . "\x55\xAD\x34\x06\x09\xF4\xB3\x02"
          . "\x83\xE4\x88\x83\x25\x71\x41\x5A"
          . "\x08\x51\x25\xE8\xF7\xCD\xC9\x9F"
          . "\xD9\x1D\xBD\xF2\x80\x37\x3C\x5B"
          . "\x97\x9E\xBD\xB4\x0E\x2A\x6E\x17"
          . "\xA6\x23\x57\x24\xD1\xDF\x41\xB4"
          . "\x46\x73\xF9\x96\xF1\x62\x4A\xDD"
          . "\x10\x29\x31\x67\xD0\x09\xB1\x8F"
          . "\x75\xA7\x7F\x79\x30\xD9\x5C\xEB"
          . "\x02\xE8\xAD\xBA\x7A\xC8\x55\x5C"
          . "\xED\x74\xCA\xDD\x5F\xC9\x93\x6D"
          . "\xB1\x9B\x4A\xD8\x35\xCC\x67\xE3";

my $text2 = "\xA6\x64\xEA\xB8\x89\x04\xC2\xAC"
          . "\x48\x43\x41\x0E\x0A\x63\x42\x54"
          . "\x16\x60\x6C\x01\x44\x2D\xD6\x8D"
          . "\x40\x04\x58\x3E\xB8\xFB\x7F\x89"
          . "\x55\xAD\x34\x06\x09\xF4\xB3\x02"
          . "\x83\xE4\x88\x83\x25\xF1\x41\x5A"
          . "\x08\x51\x25\xE8\xF7\xCD\xC9\x9F"
          . "\xD9\x1D\xBD\x72\x80\x37\x3C\x5B"
          . "\x97\x9E\xBD\xB4\x0E\x2A\x6E\x17"
          . "\xA6\x23\x57\x24\xD1\xDF\x41\xB4"
          . "\x46\x73\xF9\x16\xF1\x62\x4A\xDD"
          . "\x10\x29\x31\x67\xD0\x09\xB1\x8F"
          . "\x75\xA7\x7F\x79\x30\xD9\x5C\xEB"
          . "\x02\xE8\xAD\xBA\x7A\x48\x55\x5C"
          . "\xED\x74\xCA\xDD\x5F\xC9\x93\x6D"
          . "\xB1\x9B\x4A\x58\x35\xCC\x67\xE3";

printf("len text1 %s len text2\n", length($text1) == length($text2) ? 
+'==' : '!=');
printf("text1     %s text2\n",     $text1         eq $text2         ? 
+'eq' : 'ne');
printf("md5 text1 %s md5 text2\n", md5($text1)    eq md5($text2)    ? 
+'eq' : 'ne');

      [download]

      outputs 

      len text1 == len text2
text1     ne text2
md5 text1 eq md5 text2

      [download]

      Finding the collision took 8 hours using a notebook PC (Intel Pentium 1.6 GHz). That's minutes on a strong computer. Reference

[reply]
[d/l]
[select]
        Finding the collision took 8 hours using a notebook PC (Intel Pentium 1.6 GHz)

        Heh ... I wondered as I wrote whether I would end up with the ol' egg facial treatment. (If you hadn't provided the link, I would have assumed that collision was something you whipped up all by yourself :-)

        Of course that doesn't demonstrate that a string (of a specific length) that hashes to a given digest can be found readily - which would be the OP's main concern. But, with the progress that is being made in the breaking of MD5, I think I might refrain from making any more rash assertions.

        Thanks, ikegami, for the heads up.

        Cheers,
        Rob
[reply]

      So sorry! Yes, you are correct. Please see my update in my OP above.

      TheEnigma

[reply]

In Section Seekers of Perl Wisdom