Password hashing algorithms are not the same as general hash algorithms. I would prefer we didn't use whirlpool; it is "recommended by NESSIE and ISO" as a hash function, but as a password hash. CWE916 recommends "bcrypt, scrypt, and PBKDF2" specifically for password hashing.
To be clear, I have nothing against the Whirlpool hash algorithm itself: it's got a long pedigree with a decent amount of cryptoanalysis. It's just the extension to password hashing which is nonstandard. If you wanted to use Whirlpool as a password hash, you should apply it as part of PBKDF2, which is parameterizable. That would be a reasonable way to distinguish the WMF hash to avoid general attacks without inventing new cryptography. The default PRF for PBKDF2 is HMAC-SHA-1; you would be replacing this with HMAC-Whirpool. This would be much preferable to using str_repeat+Whirlpool. --scott
On Wed, Feb 5, 2014 at 10:00 PM, Marc A. Pelletier marc@uberbox.org wrote:
On 02/05/2014 09:34 PM, Tim Starling wrote:
Maybe Chris's phrasing misled you: I didn't invent the Whirlpool algorithm
And so it did; something a quick google would have revealed. In my defense, "The Whirlpool algorithm by Tim" was pretty convincing attribution. :-)
I'd need to read up on that algorithm a bit before I have an opinion on whether length-extension attacks are not an issue with it (which is often particularly nasty when the message repeats or is cyclical). Most hashes fare better by prepending a nonce as salt than they do by padding or repeating.
-- Marc
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l