[WEB SECURITY] Using JavaScript to generate "secure" passwords.

Michael Vance Michael.Vance at salliemae.com
Thu Jan 31 12:42:45 EST 2008


I think that Billy's original point is still valid.  If the algorithm that is being used is known or easily guessed (and the SHA family would be the best first guess for long hash values), then the entropy of the hash results is identical to the entropy of the source and is still subject to pattern analysis and replay techniques.  If you only have 1,000,000 possible source values, you still only have only a fixed set of 1,000,000 possible hash values.  Those values may appear to be more random to the human eye because they're longer and cryptographically generated, but all you've done is substitute one set of values for another with a one-to-one relationship.  That would be like saying that a substitution cipher is more secure if you replace each single letter with a three-letter combination.  That may be true, but only trivially so for modern cryptanalytic techniques.

-Michael

>>> "Hoffman, Billy" <billy.hoffman at hp.com> 01/31/2008 08:45 AM >>>
Probably a good thing I don't design cryptographic algorithms! ;-)

-----Original Message-----
From: Vincent Archer [mailto:varcher at denyall.com] 
Sent: Thursday, January 31, 2008 5:13 AM
To: Hoffman, Billy
Cc: Brian Eaton; Stephan Wehner; securesauce at gmail.com; websecurity at webappsec.org 
Subject: Re: [WEB SECURITY] Using JavaScript to generate "secure" passwords.


On Wed, 2008-01-30 at 20:03 +0100, Hoffman, Billy wrote:
> This tells us a few things: The seed will always be numeric. That drastically reduces possible character set) (and thus entropy) of what you are SHA-1ing.

If you assume that SHA is (relatively) cryptographically correct, it is
not a problem. A hashing function removes all regularities in the
original source, and it simply caps the total entropy of the data to
whatever bit total the final hash is.

In other words, it should not matter if you have a 500 byte source, with
1 bit of entropy per byte, or a 100 byte source with 5 bits of entropy
per byte: you should end up with a 256bit random value after hashing to
256 bits (having lost 250 bits of entropy in the way).

> What should you take away from all from this? GATHERING ENTROPY IS HARD! Only the most extreme least significant bits of operations like latancy between disk reads, network traffic, cache hits, etc, are used. You have access to none of this in JavaScript. JavaScript does provide a large number of significant digitswith its Date object. Checking time between user events and only using the least significant bits might be an acceptable approach, but I imagine you would need to gather a lot of data to do it.


The problem here is not in the way entropy is gathered, but in the
source of entropy. Mouse positions are a weak source of entropy, so you
need to gather a lot of them to get enough entropy for your data source.
The way you store them before throwing them into a good bit mixer does
not matter.

In fact, the less operations you make on the data gathered, the better
off you are. Chopping off bits from the data to keep only the "least
significant bits" will result in less entropy per sample, not more. The
difficulty is in estimating how many bits of entropy you got, which
gives you the time when you can finally get your random number.

--
Vincent ARCHER
varcher at denyall.com 

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/ 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


This E-Mail has been scanned for viruses.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list