Re: problem with form-data (get/post): msg#00014




(wrong thread - careful)

For the client to generate the encrypted password, the client (and by
extension, the attacker) needs to know the salt.

Having the client generate the hashed password does not gain you anything.
In fact, it can reduce your population set since it has been not been shown
that for all A and A' (where A != A'), des(A) != des(A').  In fact, I think
it has been shown that there are some A and A' (A != A')where des(A) ==
des(A').  Therefore, for the entire population of A, des(A) is a smaller
population.  This is due to the des password hashing algorithm throwing
away bits.  MD5 has the same theoretical possibility (although the chances
are much smaller).



Back to the original question - If the OP is not running a javascript
implementation of 3des, but is using a perl module, how is he running perl
in the browser?


Brian
--
Brian T. Wightman                brian.t.wightman@xxxxxxx
Global Data Management          http://pdm.cg.jci.com/
Johnson Controls, Controls Group          (414) 524-4025


|---------+---------------------------->
|         |           ghankerson01@xxxx|
|         |           amline.edu       |
|         |                            |
|         |           06/18/2004 08:33 |
|         |           AM               |
|         |                            |
|---------+---------------------------->
  
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                             
                                                                     |
  |       To:       cgiapp@xxxxxxxxxxxxxxxxx                                    
                                                                     |
  |       cc:                                                                   
                                                                     |
  |       Subject:  Re: [cgiapp] problem with form-data (get/post)              
                                                                     |
  
>--------------------------------------------------------------------------------------------------------------------------------------------------|




My understanding is that this kind of encryption uses a
"salt". In other words you add a string (salt) to the user's password
and in your application (typically a database)
you store the encrypted concatenation of the password and the salt.  So
the weak point is the salt string. If someone can brute force find your
salt string you are in trouble.

>>> <Brian.T.Wightman@xxxxxxx> 06/18/04 06:45 AM >>>




How are you running perl in the browser (perlscript)?

Brian
--
Brian T. Wightman                brian.t.wightman@xxxxxxx
Global Data Management          http://pdm.cg.jci.com/
Johnson Controls, Controls Group          (414) 524-4025


|---------+---------------------------->
|         |           jd@xxxxxxxxxxx   |
|         |                            |
|         |           06/18/2004 04:08 |
|         |           AM               |
|         |                            |
|---------+---------------------------->

>--------------------------------------------------------------------------------------------------------------------------------------------------|

  |

   |
  |       To:       cgiapp@xxxxxxxxxxxxxxxxx

   |
  |       cc:

   |
  |       Subject:  Re: [cgiapp] problem with form-data (get/post)

   |

>--------------------------------------------------------------------------------------------------------------------------------------------------|





I'm using the TripleDES Function from the Perl-Modul Crypt::TripleDES -
no javascript function.

Jan


Clayton Scott wrote:

> Jan Dworschak wrote:
>
>> Hi,
>>
>> maxlength is already set in the input field with a value of 256 (that
>> should be enough).
>>
> Are you sure that your TripleDES javascript function is not to blame?
> Javascript doesn't
> always work the same in all browsers.
>
> Clayton
>


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx





---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx



---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx





---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx
Previous by Date:	Re: problem with form-data (get/post), Geoffrey G. Hankerson
Next by Date:	Re: problem with form-data (get/post), Ron Savage
Previous by Thread:	Re: problem with form-data (get/post), Geoffrey G. Hankerson
Next by Thread:	Re: problem with form-data (get/post), Jan Dworschak
Indexes:	[Date] [Thread] [Top] [All Lists]