[asterisk-users] How to stop intruder from registering sip?
Tilghman Lesher
tlesher at digium.com
Thu Jul 1 11:53:17 CDT 2010
On Thursday 01 July 2010 07:43:38 William Stillwell (Lists) wrote:
> Also, technically your "101This is a salt" is stronger than your SHA1 Hash.
>
> Let's say you stick with the "17 character password"
>
> You are using 0-9, a-z, A-Z, and space.
>
> 0-9 = 10
> a-z = 26
> A-Z = 26
> Space = 1
> Total Possible Values = 63
>
> 17^63 = 3.2982384238829760312713680399948e+77
>
> Your sha1 is using 0-9, a-f
>
> 0-9 = 10
> a-f = 6
>
> 40^16 = 42949672960000000000000000
That would only be true if you used random characters in your 17-character
passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of
randomness per letter, whereas an SHA1sum has no more than 4 bits of
randomness per letter. Let's assume the higher number of randomness for
your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness.
Note that the prefix 3 characters have ZERO randomness per character, as they
are deterministic from the extension. That gives an even less 21 bits of
randomness. SHA1 cryptographic sums have no more than 160 bits of randomness.
I say "no more than", because, given knowledge of the algorithm used to
determine passwords, the sum is reduced to the number of bits of randomness in
the source material. You cannot generate randomness by applying a
deterministic algorithm. However, given that the source material for the hash
sum is of a smaller bit strength than the comparative strength of the hash
algorithm, your difficulty of guessing the password is not reduced any by
using the hash algorithm for generative purposes.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list