Re: [android-developers] Re: hash functions

2011-05-11 Thread Brill Pappin
Nod to Bob on not doing it yourself... there is no reason to do so. There is nothing worse than your masterpiece of unbreakable encryption that only you don't know is full of holes. I've seen some pretty silly things done in the name of "extra encryption" and it's just not worth your time. --

Re: [android-developers] Re: hash functions

2011-05-10 Thread Bob Kerns
No -- I've always been fortunate enough to have Bouncy Castle or similar packages available, and haven't had to implement it myself. I *have* implemented similar things in the distant past before we knew quite as much about the problems and solutions. I.e. with a salt, with an insecure hash fun

Re: [android-developers] Re: hash functions

2011-05-10 Thread Nikolay Elenkov
On Wed, May 11, 2011 at 12:35 PM, DanH wrote: > Of course, hashing a password, per se, doesn't really make it any > stronger.  And doing things like using a salt don't do much if the > concern is simple trial-and-error cracking of a single encrypted > message (unless you're relying on "security by

Re: [android-developers] Re: hash functions

2011-05-10 Thread Nikolay Elenkov
On Wed, May 11, 2011 at 7:34 AM, Bob Kerns wrote: > More precisely, you iterate this: > hash = f(hash) > where f is some function that is expensive, and does not collapse the space > of possible values into some smaller set. One way to accomplish this would > be: > f(hash) = hash sha1(hash). > I

Re: [android-developers] Re: hash functions

2011-05-10 Thread Nikolay Elenkov
On Wed, May 11, 2011 at 8:32 AM, Bob Kerns wrote: > https://www.kb.cert.org/vuls/id/836068 > Nothing new should have been using MD5 for a looong time, and people need to > know to stay away from it. > Fake SSL certs that exploit this have been produced. It's not just a > theoretical concern. I kn

Re: [android-developers] Re: hash functions

2011-05-10 Thread Bob Kerns
https://www.kb.cert.org/vuls/id/836068 Nothing new should have been using MD5 for a looong time, and people need to know to stay away from it. Fake SSL certs that exploit this have been produced. It's not just a theoretical concern. On Tuesday, May 10, 2

Re: [android-developers] Re: hash functions

2011-05-10 Thread Nikolay Elenkov
On Tue, May 10, 2011 at 3:59 PM, gjs wrote: > http://developer.android.com/reference/java/security/spec/MGF1ParameterSpec.html > > SHA256, 384, 512 What does the mask generation function has to do with this? Don't just paste random links. > > http://developer.android.com/reference/java/security/