undefined | Better HN

0 pointsmasklinn1y ago0 comments

They clearly wanted something stronger than "a hash function" or they'd have reached for weaker cryptographic hashes.

0 comments

They wanted a hard-to-compute cryptographic hash function. Today, that means bcrypt or something with a KDF construction. However, they needed one with unlimited input size, which rules out bcrypt.

tptacek1y ago

Or just a hash of the bcrypt hash, for the password!

I don't like using thought-stopping cliches any more than anybody else does, but this design feels a little cargo-culted. All this stuff follows the more fundamental question of "why is the password mixed into a cache key"?

pclmulqdq1y ago

Yeah, I think both of the following would have worked if they wanted the password involved in a cache key and they wanted bcrypt to be used:

* bcrypt(SHA-512(PW || stuff))

* SHA(stuff || bcrypt(PW))

Disclaimer: Not cryptography advice.

It's still unclear to me why the password is in there.

4 more replies

jedisct11y ago

bcrypt-pbkdf (used in OpenSSH) exists for that purpose.

nyclounge1y ago

Would scrypt solve this problem? Or is it same as bcrypt? Or is scrypt depending on the hardware?

j / k navigate · click thread line to collapse

0 comments

pclmulqdq1y ago

They wanted a hard-to-compute cryptographic hash function. Today, that means bcrypt or something with a KDF construction. However, they needed one with unlimited input size, which rules out bcrypt.

tptacek1y ago

Or just a hash of the bcrypt hash, for the password!

pclmulqdq1y ago

Yeah, I think both of the following would have worked if they wanted the password involved in a cache key and they wanted bcrypt to be used:

* bcrypt(SHA-512(PW || stuff))

* SHA(stuff || bcrypt(PW))

Disclaimer: Not cryptography advice.

It's still unclear to me why the password is in there.

4 more replies

jedisct11y ago

bcrypt-pbkdf (used in OpenSSH) exists for that purpose.

nyclounge1y ago

Would scrypt solve this problem? Or is it same as bcrypt? Or is scrypt depending on the hardware?

j / k navigate · click thread line to collapse