About: CONFIG_FEATURE_SHA1_PASSWORDS

Jason Schoon floydpink at gmail.com
Mon Jan 30 22:41:44 UTC 2006


I don't know if I would say either is more secure than the other anymore.
SHA1 has problems of its own:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

I think it would be prudent though to just include the necessary missing
files and have both MD5 and SHA1 as options.



On 1/30/06, Rob Landley <rob at landley.net> wrote:
>
> On Monday 30 January 2006 14:07, Tito wrote:
> > Hi,
> > It seems to me that CONFIG_FEATURE_SHA1_PASSWORDS is broken:
> >
> > 1) It is not in our config system
> > 2) it is used only in these files:
> >  /busybox/include/libbb.h
> >  /busybox/include/usage.h
> >  /busybox/libbb/pw_encrypt.c
> > 3) it needs at least two more files
> >      sha1.c
> >      sha1.h
> >     to compile (they could be found in some versions of tinylogin)
>
> And the current implementation makes no use whatsoever of the salt value
> you
> just added.
>
> > So should we fix it and add the missing files, the entries in Config.in
> > and in the makefiles or should we remove all references to it.
> >
> > Some hints?
>
> I believe it's a generally more secure algorithm than md5.  People can now
> synthesize md5 hash collisions (although not necessarily collisions for a
> _specific_ hash...)
>
> http://eprint.iacr.org/2005/075
>
> Of course if they grab your file of encrypted keys they can brute force
> the
> human-typeable keyspace in a finite amount of time on a modern laptop
> anyway.
>
> SHA1 is what git is based on.
>
> > Ciao,
> > Tito
>
> Rob
> --
> Steve Ballmer: Innovation!  Inigo Montoya: You keep using that word.
> I do not think it means what you think it means.
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://busybox.net/cgi-bin/mailman/listinfo/busybox
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.busybox.net/pipermail/busybox/attachments/20060130/4598a35c/attachment-0002.htm 


More information about the busybox mailing list