[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secret votes HOWTO

* lantz moore <lmoore@tump.com> [010403 14:16]:
> i was just pointing out that if someone does use someone else's name/email
> as their password, temporary confusion will ensue.

If you can figure out how to get an email address + user-supplied random
data (even if not very random :) + server-supplied random data
(important to be random) out of a single md5/sha1 hash, then hats off to
you. :)

The only known method for finding out *possible* contents of an sha1
hash is brute force checking all inputs. There are known problems with
the md5 hash algorithm and its use in new situations should probably be
considered deprecated though its continued use in existing applications
is more acceptable -- getting the contents out of md5 is still probably
best done through brute force.

So, if the server admins want to prevent brute-force finding out
possible contents of the hash, then they had best throw some 2^64 bits
of randomness in the thing. If the voter wishes to keep the contents of
the hash secret, the voter had best throw in some 2^64 bits of
randomness. (This is to prevent brute-force searching in case one or the
other is chosen weakly.)

Earthlink: The #1 provider of unsolicited bulk email to the Internet.

Reply to: