(wrong thread - careful)
For the client to generate the encrypted password, the client (and by
extension, the attacker) needs to know the salt.
Having the client generate the hashed password does not gain you anything.
In fact, it can reduce your population set since it has been not been shown
that for all A and A' (where A != A'), des(A) != des(A'). In fact, I think
it has been shown that there are some A and A' (A != A')where des(A) ==
des(A'). Therefore, for the entire population of A, des(A) is a smaller
population. This is due to the des password hashing algorithm throwing
away bits. MD5 has the same theoretical possibility (although the chances
are much smaller).
Back to the original question - If the OP is not running a javascript
implementation of 3des, but is using a perl module, how is he running perl
in the browser?
Brian
--
Brian T. Wightman suppressed
Global Data Management http://pdm.cg.jci.com/
Johnson Controls, Controls Group (414) 524-4025
|---------+---------------------------->
| | suppressed|
| | amline.edu |
| | |
| | 06/18/2004 08:33 |
| | AM |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: suppressed |
| cc: |
| Subject: Re: [cgiapp] problem with form-data (get/post) |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
My understanding is that this kind of encryption uses a
"salt". In other words you add a string (salt) to the user's password
and in your application (typically a database)
you store the encrypted concatenation of the password and the salt. So
the weak point is the salt string. If someone can brute force find your
salt string you are in trouble.
>>> <suppressed> 06/18/04 06:45 AM >>>
How are you running perl in the browser (perlscript)?
Brian
--
Brian T. Wightman suppressed
Global Data Management http://pdm.cg.jci.com/
Johnson Controls, Controls Group (414) 524-4025
|---------+---------------------------->
| | suppressed |
| | |
| | 06/18/2004 04:08 |
| | AM |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: suppressed
|
| cc:
|
| Subject: Re: [cgiapp] problem with form-data (get/post)
|
>--------------------------------------------------------------------------------------------------------------------------------------------------|
I'm using the TripleDES Function from the Perl-Modul Crypt::TripleDES -
no javascript function.
Jan
Clayton Scott wrote:
> Jan Dworschak wrote:
>
>> Hi,
>>
>> maxlength is already set in the input field with a value of 256 (that
>> should be enough).
>>
> Are you sure that your TripleDES javascript function is not to blame?
> Javascript doesn't
> always work the same in all browsers.
>
> Clayton
>
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.