Date: Thu, 13 Oct 2022 15:55:32 +0200 From: Matthias Apitz <guru@...xarea.de> To: john-users@...ts.openwall.com Subject: Re: using john to decrypt DES hashes El día jueves, octubre 13, 2022 a las 02:29:57p. m. +0200, Solar Designer escribió: > Hello Matthias, > > On Thu, Oct 13, 2022 at 11:18:59AM +0200, Matthias Apitz wrote: > > Me and my company are managing large databases wherein the PIN of users > > are hashed with UNIX crypt(3) in the old DES form and a fixed salt "xX". > > With large I mean some thousands. For data security reasons we want to > > move to a better algorithm, "yescrypt", and when the user provides the > > PIN in clear, it is checked against the old DES hash, and when correct > > the field in the database is updated to "yescrypt" by our software. So > > far so good. I also want to update the (remaining) old hashes to "yescrypt" > > before some hacker is using them, if he got access to the DES strings. > > This makes sense, but you can instead use the existing DES-based hashes > as input to yescrypt. That way, you can upgrade all of your hashes to > yescrypt-of-descrypt at once, without needing to wait for users to log > in nor cracking any hashes. > > yescrypt-of-descrypt has subtly different security properties from > direct application of yescrypt, but it's certainly a major upgrade > compared to descrypt alone. Hello Alexander, Thanks for your feedback. Do I understand you correct: I yescrypt all DES strings in the database and when the user presents the PIN 4711 I first crypt the with DES and the old salt 'xX' and the result with yescrypt and the stored "$y$...." salt and when this match the user is authenticated, correct? What would be the security problem with this compared with direct application of yescrypt? Thanks matthias -- Matthias Apitz, ✉ guru@...xarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.