Travis H. wrote: > So I was reading about the OTP system (based on S/Key) described in RFC > 2289. > It basically hashes a secret several times (with salt to individualize > it) and stores > the value that the correct password will hash to. > > Now my question is, if we restrict ourselves to, say, 160-bit inputs, is > SHA-1 > a permutation, or do collisions exist? If there are collisions, then > iterating > the hash could lead to fewer possible values each time, potentially > converging > on a set of inputs that form a permutation and are closed under > composition. > > Is that correct? What are the expected sizes of such sets? > Is it worth worrying about?
posts discussing other kinds of attack on 2289 ... assuming the original circumstances that 2289 is supposed to address; most of the "fixes" for the attacks ... in turn, negate/invalidate the original purpose/justification for 2289 http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd authentication? http://www.garlic.com/~lynn/2003n.html#1 public key vs passwd authentication? http://www.garlic.com/~lynn/2003n.html#2 public key vs passwd authentication? http://www.garlic.com/~lynn/2003n.html#3 public key vs passwd authentication? http://www.garlic.com/~lynn/2005o.html#0 The Chinese MD5 attack http://www.garlic.com/~lynn/2005t.html#28 RSA SecurID product http://www.garlic.com/~lynn/2005t.html#31 Looking for Information on password systems http://www.garlic.com/~lynn/2006d.html#41 Caller ID "spoofing" --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]