On Fri, Sep 30, 2011 at 2:27 PM, Dmitry Chestnykh <dmi...@codingrobots.com> wrote: > The attacker cannot supply hash, he supplies password. To do timing attack, > the > attacker have to find a such string, for which the hash has a few bytes > changed.
You and I seem to be talking about different use cases, There are scenarios where both the client and server generate hashes. The client sends its has to the server and the server compares the hashes. Of course, another protection against attacks is to limit the time window before a whole new set of hashes needs to be computed. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
