Back to Top

Tuesday, August 18, 2009

Know thy (cryptographic) functions

More than I year ago I mentioned that VNC uses only the first 8 characters of the password to validate it. Today I found an other situation where this happens: the crypt function (to be fair, the glibc version of it has the option of using all the characters, but still we have the issue of legacy code). From the manpage (emphasis added):

By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained.

Other software can also be exposed indirectly to this issue, for example PHP contains a binding to crypt which can use the old (insecure) way for generating hashes.

In conclusion:

  • good - train yourself and your peers / subordinates in security issues
  • better - limit the security code to a small library and validate it thoroughly
  • best - use a third-party, independently validate, high-level library which uses industry standard functions


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.