hype-free: Know thy (cryptographic) functions

Tuesday, August 18, 2009

Know thy (cryptographic) functions

More than I year ago I mentioned that VNC uses only the first 8 characters of the password to validate it. Today I found an other situation where this happens: the crypt function (to be fair, the glibc version of it has the option of using all the characters, but still we have the issue of legacy code). From the manpage (emphasis added):

By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained.

Other software can also be exposed indirectly to this issue, for example PHP contains a binding to crypt which can use the old (insecure) way for generating hashes.

In conclusion:

good - train yourself and your peers / subordinates in security issues
better - limit the security code to a small library and validate it thoroughly
best - use a third-party, independently validate, high-level library which uses industry standard functions

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.

Using the embedded comment form requires JavaScript to be turned on for the blogger.com domain. However, you can still comment using the traditional method.