At least we can change from sha1 to sha2 , in some casese it can help with
password guessing (dictionary atttacks)
http://opine.me/blizzards-battle-net-hack/
Also I would choose a better hash step
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
The fundamental concepts behind SRP (which is linked to Diffie-Hellman) are
still sound, but there are two steps which must be taken for any SRP
implementation to be secure against these attacks:
1. The bit-length of the modulus āNā must be at least 1024-bit to
prevent an attacker from computing the discrete logarithm
2. The hashing step currently defined as a two-step SHA1 in RFC 2945
must be replaced with at least PBKDF2, bcrypt, or scrypt, with an
appropriate iteration count / tuning parameters to deter from dictionary
attacks
http://opine.me/srp-to-sha1/
On Nov 26, 2014 3:52 AM, "James Starkey" <[email protected]> wrote:
> On the list of vulnerabilities, this probably about 250. The probability
> of a random collision is something like 2^79 instead of the design goal of
> 2^128, but the probabilty of a manufactured duplicate is still around 2^128.
>
> SSL sucks right, left, and center by comparison -- it has zippo protection
> in the face of government intrusion,
>
> There are many, many more important things to worry about than SSH-1. One
> should try to use the best available technology, but getting your knickers
> in a twist over an insignificant vulnerability just isn't called for.
>
>
> On Tuesday, November 25, 2014, marius adrian popa <[email protected]>
> wrote:
>
>> maybe is time to upgrade to sha-2
>>
>> http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
>>
>
>
> --
> Jim Starkey
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
