Jordan, while agreeing on everything, I consider the term "script
kiddie" to be very usefull.
It is usefull to decribe a certain type of attack: basically an
automated attack by an uneducated user. It can be characterised by using
a preprogrammed tool (the script) without any knowledge of what is
to keep your mouth
shut in the first place. Just my opinion though.
- Original Message -----
From: "Thomas Tomiczek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 10, 2003 3:57 AM
Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
IMHO there
nuary 10, 2003 4:45 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> What I stated in my email was a simple way to provide some
> advantage of a true salt along with some advantage of
> simple-to-maintain code. Nothing is &quo
Craft, Steve [mailto:[EMAIL PROTECTED]]
>> Sent: Wednesday, January 08, 2003 7:08 PM
>> To: [EMAIL PROTECTED]
>> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>>[snip]
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
[EMAIL PROTECTED]]
> Sent: Thursday, January 09, 2003 8:57 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> Gosh, that's being a bit harsh. He already admitted that it's
> not as secure as a random salt. While it's true
as when using a random salt, but he is
correct in stating that it will slow down, if not keep out, script kiddies.
-Andy Hopper
- Original Message -
From: "Thomas Tomiczek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 09, 2003 3:08 AM
S
)
> -Original Message-
> From: Craft, Steve [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 08, 2003 7:08 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> In the case of storing username/password in a database tabl
-DOTNET] AW: [ADVANCED-DOTNET] Salt in
PasswordDeriveBytes
> you should consider encrypting that fixed random salt with dpapi :)
I have to assume you're joking. Right?
You can read messages from the Advanced DOTNET archive, unsubscribe from
Advanced DOTNET, or subscribe to other Devel
> you should consider encrypting that fixed random salt with dpapi :)
I have to assume you're joking. Right?
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
]
Betreff: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
> That's not the most earth-shattering way of doing things, but
> it should slow
> down any script-kiddie that gets the password file; he will
> have to append
> the username to every password try on every different ta
> That's not the most earth-shattering way of doing things, but
> it should slow
> down any script-kiddie that gets the password file; he will
> have to append
> the username to every password try on every different table
> row. It also
> makes the salt different for each user, but is easier to
rom: Craig Andera [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 08, 2003 10:47 AM
To: [EMAIL PROTECTED]
Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> But the
> question was asking about salts, it wasn't asking for a
> recommendation on
> the ent
In the case of storing username/password in a database table, I just use a
"salt" of the username backwards and append that to the password before it
gets encrypted and written to the password column.
In normal app usage, the username is looked up and then the backwards
username is appended to the
>
>
> But the
> question was asking about salts, it wasn't asking for a
> recommendation on
> the entire authentication infrastructure. Even if it was,
> there was not
> enough information given about the application for anyone to
> just say "use a
> public key cryptosystem".
Sounds like we w
a
public key cryptosystem".
Jordan Frank
eBusiness Applications
www.ebusinessapplications.ca
[EMAIL PROTECTED]
- Original Message -
From: "Craig Andera" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 07, 2003 6:59 AM
Subject: Re: [ADVANCED-DOTNET] Salt i
> Just one more question -
>
>
> since the default random number generator blows.
>
>
> I assume you are saying System.Random blows, not
> System.Security.Cryptography.RandomNumberGenerator.
>
> Is this correct?
Right. Although RandomNumberGenerator is just the abstract base.
RNGCryptoService
PROTECTED]]
Sent: Tuesday, January 07, 2003 8:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
The more I think about it, the more I come to realize that the salt should
never leave the server. It adds nothing, and takes away something. It's
whole purpose is to
Either I'm not understanding your strategy, or there are some problems
with it. I'm not sure which is more likely. :)
> You're right about the salt, it's basically to make it so the
> same password
> will not lead to the same hash, and also to prevent
> pre-computed dictionary
> attacks, where a
The more I think about it, the more I come to realize that the salt
should never leave the server. It adds nothing, and takes away
something. It's whole purpose is to make it somewhat harder to perform
dictionary attacks against the password database. Transmitting it on the
wire is just going to ma
stems
use them than use public-key cryptosystem schemes.
All opinions stated in this email are my own and do not necessarily reflect
those of my employer, or anyone else for that matter.
- Original Message -
From: "Pinto, Ed" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Se
bage" need to be shared, if so, how is this achieved?
Cheers,
Ed
-Original Message-
From: Craig Andera [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 2:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
Err, I think your protocol is sti
D]]
> Sent: Monday, January 06, 2003 12:50 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> Hey Craig,
> Thanks for the reply. I guess I should have been more clear.
> I agree that
> channel encryption is important, howeve
On 06 January 2003 17:50, Pinto, Ed wrote:
> I guess I'm somewhat confused about two commonly used terms - salt and
> nonce. What you refer to as "random salt" I've always thought as a
nonce
> ("number used once"). To me, the term salt has always represented a
> randomly generated, but persisted
Hey Craig,
Thanks for the reply. I guess I should have been more clear. I agree that
channel encryption is important, however, my question is about the security
protocol, not about the channel.
I guess I'm somewhat confused about two commonly used terms - salt and
nonce. What you refer to as "r
Also see HTTP digest authentication in RFC 2617 [1] which discusses the
appropriate security issues and includes a C sample implementation.
Unfortunately, you will suffer from dictionary attacks unless you use
asymmetric keys or shared secrets but maintaining those is an overhead
you might not wish
> There is a thread in the old DotNet archive that talks about
> how to protect against replay attacks without using SSL. I
> believe it has to do with the client requesting a token from
> the server, then hashing the token with the password and
> passing that to the sever on a second trip.
I
Tomiczek
THONA Consulting Ltd.
(Microsoft MVP C#/.NET)
> -Original Message-
> From: Franklin Gray [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 06, 2003 6:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
>
>
> Ther
.
-Original Message-
From: Craig Andera [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes
> Can someone help me understand the usage of a salt in
> PasswordDeriveBytes?
> I think I understand, b
> Can someone help me understand the usage of a salt in
> PasswordDeriveBytes?
> I think I understand, but I want confirmation. Right now, I
> create a salt
> for each user when the user is created. I use
> PasswordDeriveBytes to create
> a userkey based on a password and the salt. Then I sto
Can someone help me understand the usage of a salt in PasswordDeriveBytes?
I think I understand, but I want confirmation. Right now, I create a salt
for each user when the user is created. I use PasswordDeriveBytes to create
a userkey based on a password and the salt. Then I store the userkey an
30 matches
Mail list logo
