[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Hmac

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Hmac
From: dawuud <dawuud@xxxxxxxxxx>
Date: Sat, 10 Sep 2016 02:22:27 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 Sep 2016 22:24:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1473474246; bh=uit5PjbhkPuMswP1K7kjkEuGPQknn5FqGr56DKaVYFQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Npj9V9fVue5Ehw+HtxcOAQapz49DE6uMreTsGBGCbrATz6t+SkV5q3N5bHRsGyxjn zgXe8mUIOTxy7mNFKrLmO2dAsgMjDnHGA2/yqcdKUI3/cV8yJoUVOyQx0gjUiWAdTa p31UUqBSWZ3xpttcj89WTzm5yQWrTqCO+dEEh+B4=
In-reply-to: <c59e7c57-f8c5-d922-aa37-3775b3b2127b@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <BB4571EC-BCCF-4CCF-91C5-AF94260DDA9F@riseup.net> <c59e7c57-f8c5-d922-aa37-3775b3b2127b@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

scrypt is a key derivation function... the other is not. why compare them?
they are both good for different things, are they not?

here lemme google that for you
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
https://en.wikipedia.org/wiki/Key_derivation_function


On Fri, Sep 09, 2016 at 08:24:09PM -0400, Jesse V wrote:
> On 09/09/2016 07:28 PM, Flipchan wrote:
> > Hi all, so i spook with a friend of mine yesterday and we where chating
> > about encryption and i told him that i use scrypt for password hashing.
> > He told that hmac was alot better.
> > 
> > Does anyone know any Good whitepapers on hmac? Any Good python lib? Does
> > anyone use it ?
> 
> The important thing here is that in this context, both scrypt and HMAC
> receive two values: a password and a salt. This provides a defense
> against rainbow tables if your database is compromised. It also avoid
> leaking whether two users have the same password. The idea is to store
> the username, salt, and hashed password in the database.
> 
> Scrypt is useful because it's memory-hard, which means that it better
> resists hardware attacks since the scrypt operation requires precious
> RAM. HMAC is useful because it isn't safe to compute SHA2(salt +
> password) due to the Length Extension Attack against MD5, SHA1, and
> SHA2, but this doesn't necessarily apply in this context. When you say
> "HMAC", I assume that your friend means HMAC_SHA256.
> 
> HMAC_SHA256 is very common for storing passwords and there are many
> papers, libraries, and other resources on it. I would start with the
> Wikipedia article on HMAC and go from there. If you really want to dig
> into the topic, look into Argon2.
> 
> -- 
> Jesse V
> 




> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Hmac
  - From: Flipchan
- Re: [tor-dev] Hmac
  - From: Jesse V

Prev by Author: Re: [tor-dev] Onioncat and Prop224
Next by Author: [tor-dev] Hmac
Previous by thread: Re: [tor-dev] Hmac
Next by thread: [tor-dev] Tor Browser downloads and updates graphs
Index(es):
- Author
- Thread