[17449] in cryptography@c2.net mail archive
Re: encrypted tapes (was Re: Papers about "Algorithm hiding" ?)
daemon@ATHENA.MIT.EDU (astiglic@okiok.com)
Thu Jun 9 18:34:45 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <E1DgFEx-0000sH-00@medusa01.cs.auckland.ac.nz>
Date: Thu, 9 Jun 2005 17:07:08 -0400 (EDT)
From: astiglic@okiok.com
To: "Peter Gutmann" <pgut001@cs.auckland.ac.nz>
Cc: astiglic@okiok.com, perry@piermont.com, cryptography@metzdowd.com
> astiglic@okiok.com writes:
>
>>I saw allot of requirements by security auditors that looked pretty
>> silly.
>
> "Must use 128-bit RSA encryption" has to be the all-time favourite.
>
> One I saw recently was a requirement for using X9.17 key management... in
> SSL.
>
> Peter.
One of my favourites was that "PINs had to be hashed" (these were PINs
for authentication in a proprietary application/system. The justification
(given by the auditor) was that people who had access to the database,
should not be able to see the PINs in clear. These where 4 digit PINs. So
the developers just SHA-oned the PINs. Later on, the developers had to
export the PINs into another application, that had its own way to protect
the PINs, so they launched a brut force attack on all of the PINs, of
course this was easy because the input space was very small and the hash
function did not involve any secret key, no salt, no iterations... Talk
about protection!
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
