> From: "Francesco Albanese" <[EMAIL PROTECTED]> > Hello, > > I have cleaned my code and I updated my patch with a new feature for > salting the password. > > - The salt is generated collecting a timestamp for every valid > keystroke supplied during password prompting: then, the least > significant byte of each timestamp is XORed providing eventually a > 24bits seed for SHA256 function. The first 24bits of the generated > context are used as the salt. > > - Even though I cannot claim that function is Bruce Schneier proof, > the level of complexity added should provide a certain degree of > security against rainbow tables (256bits secure hash, salt derived > from "quite random" events like keystrokes, XOR is a statistical > balanced function ...). > > This patch has been tested on GTA01BV04. It is stil unclear if it > could work on FR (the twin bootloaders shall share the same ENV VARs). > > Comments are always welcome, > > Francesco Albanese >
Francesco, I highly recommend looking at http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx for an analysis of various hashing algorithms. If you have a few sources of randomness and you hash them together with a good algorithm, that should be all you need. To me, the Jenkins algorithm is the clear winner. The page I linked complains that it is significantly more difficult to implement, but it is still quite easy to implement since they give you a C implementation already :-) Computational complexity of an algorithm like that is utterly negligible on a processor of even a few KHz, much less 200 MHz+. Bobby -- If it doesn't make you smile, you're doing something wrong.