Re^10: monastery mark-upedness (privacy)

Also consider this lesson from Bruce Schneier:
http://www.schneier.com/blog/archives/2007/11/using_google_to.html

As far as I can see, the hash algorithm wouldn't have to be known in order to attempt this attack. It would only have to be used enough on the internet that it might be indexed with it's plaintext by Google or whatever search engine.

The only defense against this would be a roll-your-own algoritihm, and then you don't have the benefit of peer review in the cryptanalytic community.

#my sig used to say 'I humbly seek wisdom. '. Now it says:
use strict;
use warnings;
I humbly seek wisdom.

Comment on Re^10: monastery mark-upedness (privacy)

Replies are listed 'Best First'.
Re^11: monastery mark-upedness (privacy) by kyle (Abbot) on Mar 21, 2008 at 20:23 UTC
You could get the benefit of a peer reviewed algorithm by using some secret salt (which was suggested by Fletch in Re^6: monastery mark-upedness (brute force)). `use Digest::SHA1 qw( sha1_hex ); my $ip_address = shift; my $secret_salt = q{you don't know this part}; my $published_hash = sha1_hex( $ip_address . $secret_salt );` [download] Someone who has access to the source could launch a dictionary attack now, but that would be true if the source had a roll-your-own algorithm too.	[reply] [d/l]
Re^12: monastery mark-upedness (privacy) by goibhniu (Hermit) on Mar 21, 2008 at 20:54 UTC
I got that. I was only intending to point out a different attack, where the attacker may not know the algorithm or even use their own cpu to do the brute forcing, but let Google do it. I guess it was a leap to go all the way to "roll-your-own". I agree that secret salt makes this less likely, but considering the Google attack may influence implementation including how the salt is selected or maybe whether the resulting hash is ever published in a Google-able space. #my sig used to say 'I humbly seek wisdom. '. Now it says: use strict; use warnings; I humbly seek wisdom.	[reply]