On Wed, Feb 02, 2011 at 12:03:19PM -0500, Ian Goldberg wrote: > Actually, to keep it to one SHA block (447 bits, not including padding), > you can have at most 255 bits (31 bytes, if we're byte-aligned) for the > secret. I wouldn't suggest spanning the secret across SHA blocks. > > SHA-512 seems like overkill if we're only using 3 bytes of the output. > SHA-256 should be fine. Indeed, there's no _actual_ reason to believe > SHA-1 isn't fine here, except for the general "don't be mandating SHA-1 > for anything new at this point" rule.
These sound like fine suggestions to me! I added a short summary to the Trac entry here: https://trac.torproject.org/projects/tor/ticket/2435#comment:2 > A 31-byte secret is far more likely to leak than be brute-forced, of > course. If it's leaked one month, is it likely to leak again another > month? Leaking shouldn't be a problem here, because the secret will only be known to the machine that's sanitizing bridge descriptors. If someone learns about the secret on that machine, they could as well learn about the original descriptors, too, and save themselves all the trouble of brute forcing things. Thanks a lot for your feedback so far! Best, Karsten
