Steve Reid (sreid@alpha.sea-to-sky.net)
Sun, 28 Jun 1998 12:04:13 -0700 (PDT)
On Sun, 28 Jun 1998, Simon R Knight wrote:
> If passwords or passphrases never appear in memory, then they
> can't be written to a swapfile, so one solution that I find
> presenting itself, is the possibility of hashing of each character as
> it is entered at the keyboard. A hash of character one, and a hash of
> character two, being hashed together to create a new value which can
> then be hashed with a hash of the third character ... and so on.
This doesn't strike me as a very good idea. If the attacker can get the
final hash, he has the secret key. If he can get each individual
keystroke hash, he can compute the final hash as easily as you can.
Also, if he can get each individual keystroke hash, he can easily deduce
the keys being typed- just hash every possible keystroke (there aren't
very many) until he finds a match, then move on to the next keystroke.
No matter how you slice it, the secret _has_ to be in memory for the
software to use it. Whether the secret is a passphrase or some
complicated hash of a passphrase doesn't matter.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:09 ADT