About: CONFIG_FEATURE_SHA1_PASSWORDS
Jason Schoon
floydpink at gmail.com
Mon Jan 30 22:41:44 UTC 2006
I don't know if I would say either is more secure than the other anymore.
SHA1 has problems of its own:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
I think it would be prudent though to just include the necessary missing
files and have both MD5 and SHA1 as options.
On 1/30/06, Rob Landley <rob at landley.net> wrote:
>
> On Monday 30 January 2006 14:07, Tito wrote:
> > Hi,
> > It seems to me that CONFIG_FEATURE_SHA1_PASSWORDS is broken:
> >
> > 1) It is not in our config system
> > 2) it is used only in these files:
> > /busybox/include/libbb.h
> > /busybox/include/usage.h
> > /busybox/libbb/pw_encrypt.c
> > 3) it needs at least two more files
> > sha1.c
> > sha1.h
> > to compile (they could be found in some versions of tinylogin)
>
> And the current implementation makes no use whatsoever of the salt value
> you
> just added.
>
> > So should we fix it and add the missing files, the entries in Config.in
> > and in the makefiles or should we remove all references to it.
> >
> > Some hints?
>
> I believe it's a generally more secure algorithm than md5. People can now
> synthesize md5 hash collisions (although not necessarily collisions for a
> _specific_ hash...)
>
> http://eprint.iacr.org/2005/075
>
> Of course if they grab your file of encrypted keys they can brute force
> the
> human-typeable keyspace in a finite amount of time on a modern laptop
> anyway.
>
> SHA1 is what git is based on.
>
> > Ciao,
> > Tito
>
> Rob
> --
> Steve Ballmer: Innovation! Inigo Montoya: You keep using that word.
> I do not think it means what you think it means.
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://busybox.net/cgi-bin/mailman/listinfo/busybox
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.busybox.net/pipermail/busybox/attachments/20060130/4598a35c/attachment-0002.htm
More information about the busybox
mailing list