From: Chris Ess (azarin@tokimi.net)
Date: Sat Sep 13 2003 - 22:01:17 EDT
> You have to be able to restore that hashed password from a backup of the
> config file, so it shouldn't be dynamic once loaded. E.g. no random
> permutations.
"Random" was probably a bad word to use there. Maybe "unknown" or
"possible" would have been a better word.
My point is that any permutations that the device may do on this hash
string are performed when the username or password are changed and is
stored in the configuration. Any future username or password pair
provided will be subject to the same hashing and permutation and then this
new string will be compared against the one in the configuration. If they
match, access is granted. This is how (or roughly how) unix MD5 passwords
work and I can't really see anyone departing far from this basic model
when using some sort of one-way hashing to store authentication
information.
Sincerely,
Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT