Re^11: monastery mark-upedness (privacy)

You could get the benefit of a peer reviewed algorithm by using some secret salt (which was suggested by Fletch in Re^6: monastery mark-upedness (brute force)).

use Digest::SHA1 qw( sha1_hex );

my $ip_address = shift;
my $secret_salt = q{you don't know this part};

my $published_hash = sha1_hex( $ip_address . $secret_salt );
[download]

Someone who has access to the source could launch a dictionary attack now, but that would be true if the source had a roll-your-own algorithm too.

Comment on Re^11: monastery mark-upedness (privacy) Download Code

Replies are listed 'Best First'.
Re^12: monastery mark-upedness (privacy) by goibhniu (Hermit) on Mar 21, 2008 at 20:54 UTC
I got that. I was only intending to point out a different attack, where the attacker may not know the algorithm or even use their own cpu to do the brute forcing, but let Google do it. I guess it was a leap to go all the way to "roll-your-own". I agree that secret salt makes this less likely, but considering the Google attack may influence implementation including how the salt is selected or maybe whether the resulting hash is ever published in a Google-able space. #my sig used to say 'I humbly seek wisdom. '. Now it says: use strict; use warnings; I humbly seek wisdom.	[reply]

Replies are listed 'Best First'.

Re^12: monastery mark-upedness (privacy)
by goibhniu (Hermit) on Mar 21, 2008 at 20:54 UTC

I got that. I was only intending to point out a different attack, where the attacker may not know the algorithm or even use their own cpu to do the brute forcing, but let Google do it. I guess it was a leap to go all the way to "roll-your-own". I agree that secret salt makes this less likely, but considering the Google attack may influence implementation including how the salt is selected or maybe whether the resulting hash is ever published in a Google-able space.

#my sig used to say 'I humbly seek wisdom. '. Now it says:
use strict;
use warnings;
I humbly seek wisdom.

[reply]