Re: [Firebird-devel] HASH function (CORE-4436)
> > I think the point is, if a cracker has a security database, it can run > > billions of SHA1 hashes per second using the same salt in a brute > > force attack, because SHA1 is a fast (suitable to hash large files) > > algorithm. > > > > With bcrypt, with is purposely slow, the cracker can't do a brute > > force attack so easily. > > That's another issue, different from the one actively discussed last time > when 2 different documents have same SHA1 hash, which is often correctly > mentioned as "SHA1 weakness". I agree that HASH() and ENCRYPT() are completely different problems. Let's not "pollute" this thread with discussions about the complete unsuitability of HASH() for password handling. We can't control that a developer might not realize that HASH() <> ENCRYPT(). Sean -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] [FB-Tracker] Reopened: (CORE-5570) Negative infinity (double) shown incorrectly without sign in isql
[ http://tracker.firebirdsql.org/browse/CORE-5570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adriano dos Santos Fernandes reopened CORE-5570: Fix Version/s: (was: 4.0 Alpha 1) (was: 3.0.3) > Negative infinity (double) shown incorrectly without sign in isql > - > > Key: CORE-5570 > URL: http://tracker.firebirdsql.org/browse/CORE-5570 > Project: Firebird Core > Issue Type: Bug > Components: ISQL >Affects Versions: 3.0.2 >Reporter: Jiri Cincura >Assignee: Adriano dos Santos Fernandes >Priority: Minor > > Storing Double.NegativeInfinity > (https://msdn.microsoft.com/en-us/library/system.double.negativeinfinity(v=vs.110).aspx) > stores it correctly (correct value is read back), but in isql the sign is > not shown. > SQL> select * from test; > D > === >Infinity >Infinity > The second value should be negative (was stored as negative). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] FB3 ICU (v52)
Adriano, could you upload to https://github.com/FirebirdSQL the source code of ICU from FB3? Thanks, Dmitry Kovalenko www.ibprovider.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdotFirebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] HASH function (CORE-4436)
On 21.07.2017 14:43, Adriano dos Santos Fernandes wrote: On 21/07/2017 08:00, Alex via Firebird-devel wrote: Mark, this is interesting. I know bcrypt is very used by nodejs/expess people and I even used it myself. But what is more interesting, isn't Firebird still using these "not suitable for passwords" hashes in recent versions? AFAIK it uses SHA1 with per user SALT. Yes, but SHA1 weakness becomes important only when password becomes as long as hash, i.e. 20 bytes for sha1. Without enforcing users to have long passwords replacing hash makes no sense. I think the point is, if a cracker has a security database, it can run billions of SHA1 hashes per second using the same salt in a brute force attack, because SHA1 is a fast (suitable to hash large files) algorithm. With bcrypt, with is purposely slow, the cracker can't do a brute force attack so easily. That's another issue, different from the one actively discussed last time when 2 different documents have same SHA1 hash, which is often correctly mentioned as "SHA1 weakness". If we talk about stolen security database and passwords brute forcing - SRP + SHA1 hashes are weak if passwords are short. If password is random 20 bytes sequence brute force attack requires unreal computational resources. (This was discussed with Jim here or may be in architect a few years ago). Use of computational-heavy hash can make SRP better but it's not as efficient as use of long password (linear vs exponential dependency). As an additional problem with this approach let's not forget DoS attacks - it's much simpler to DoS a system that needs a lot of resources for initial login validation, just run a lot of fake logins to it. The only 'small' problem with long passwords is that people do not want to remember & type random 20 bytes sequence as password. This can be solved as follows. Minimum length of user password should be limited, but something typical for today (like 10 bytes containing letters & digits & punctuation) should be enough. Real password for SRP is a random bytes' sequence, short password from the client is used as an encryption key for any computational-heavy crypt (not hash!) algorithm, used to encrypt that random sequence. When setting password for a user this random bytes' sequence is used as a password for SRP and also stored in an encrypted form in that same security database. When user logins with short password encrypted random sequence appropriate for passed login is retuned to the client which must decrypt it himself. This helps to solve DoS attack problem - heavy computational algorithm is run by client, not server. Client decrypts initial random sequence and uses it for normal SRP authentication. This authentication can be added as plugin to any FB versions starting with 3, no changes in basic soft is needed. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] HASH function (CORE-4436)
On 21/07/2017 08:00, Alex via Firebird-devel wrote: >>> >> Mark, this is interesting. I know bcrypt is very used by nodejs/expess >> people and I even used it myself. >> >> But what is more interesting, isn't Firebird still using these "not >> suitable for passwords" hashes in recent versions? >> >> AFAIK it uses SHA1 with per user SALT. >> > > Yes, but SHA1 weakness becomes important only when password becomes as > long as hash, i.e. 20 bytes for sha1. Without enforcing users to have > long passwords replacing hash makes no sense. I think the point is, if a cracker has a security database, it can run billions of SHA1 hashes per second using the same salt in a brute force attack, because SHA1 is a fast (suitable to hash large files) algorithm. With bcrypt, with is purposely slow, the cracker can't do a brute force attack so easily. Adriano -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] HASH function (CORE-4436)
On 21.07.2017 13:38, Adriano dos Santos Fernandes wrote: On 19/07/2017 15:51, Mark Rotteveel wrote: In most cases original string (password) is not even stored and hashes are used to check if a password matches a previously one. The proposed hashes are **not** suitable for passwords; you shouldn't use a pure cryptographic hash for passwords as they are optimized for speed. For passwords you need to use an algorithm with a work factor/iteration count (eg pbkdf2, bcrypt) that slows it down. Mark, this is interesting. I know bcrypt is very used by nodejs/expess people and I even used it myself. But what is more interesting, isn't Firebird still using these "not suitable for passwords" hashes in recent versions? AFAIK it uses SHA1 with per user SALT. Yes, but SHA1 weakness becomes important only when password becomes as long as hash, i.e. 20 bytes for sha1. Without enforcing users to have long passwords replacing hash makes no sense. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Getting attachment_id from IAttachment
On 21.07.2017 11:08, Jiří Činčura wrote: Hi *, is there a way to get attachement_id (the same as in mon$attachments) from IAttachment isntance? Certainly. Use isc_info_attachment_id in IAttachment::getInfo(). -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] HASH function (CORE-4436)
On 19/07/2017 15:51, Mark Rotteveel wrote: > >> >> In most cases original string (password) is not even stored and hashes >> are used to check if a password matches a previously one. > > The proposed hashes are **not** suitable for passwords; you shouldn't > use a pure cryptographic hash for passwords as they are optimized for > speed. For passwords you need to use an algorithm with a work > factor/iteration count (eg pbkdf2, bcrypt) that slows it down. > Mark, this is interesting. I know bcrypt is very used by nodejs/expess people and I even used it myself. But what is more interesting, isn't Firebird still using these "not suitable for passwords" hashes in recent versions? AFAIK it uses SHA1 with per user SALT. This page describes it as insecure: http://dustwell.com/how-to-handle-passwords-bcrypt.html Adriano -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] Getting attachment_id from IAttachment
Hi *, is there a way to get attachement_id (the same as in mon$attachments) from IAttachment isntance? -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
