It is less a matter of time than you calculate.
For IPV4, you only have 32 bits to search.
On Tue, Oct 5, 2010 at 4:13 PM, Franz Schwartau wrote:
> Yes, of course, but all (cryptographic) hash functions are "vulnerable"
> to brute force attacks. It's just a question of effort/time.
>
Yes, of course, but all (cryptographic) hash functions are "vulnerable"
to brute force attacks. It's just a question of effort/time.
The salt used in mod_log_iphash is 128 characters long. So we have
64^128 + 2^32 (for the concatenated IPv4 address) possibilities. If you
want you can increase SALT
Hi Franz, welcome. Replies inline:
On Wed, Oct 6, 2010 at 00:49, Franz Schwartau wrote:
> How should the module react to a failed initialization of seed_rand() in
> iphash_create_server_config() (line 90)? Returning NULL in
> iphash_create_server_config() doesn't seem to help. I'd like to disable
If you really want security, you should note that exhaustive search will
crack this kind of hashing pretty quickly.
Changing the salt and making sure that nobody knows what the salt is helps a
little bit.
On Tue, Oct 5, 2010 at 3:49 PM, Franz Schwartau wrote:
> Hi!
>
> I wrote a small module to
Hi!
I wrote a small module to fulfil a privacy policy where logging of the
ip address is not allowed. It adds a new directive to LogFormat which
generates a MD5 hash of a "salted" ip address. It makes it look like a
IPv6 address. Thus statistics tools like AWstats have a chance to work.
Unfortuna
