Password hashing algorithms are not the same as general hash algorithms. I
would prefer we didn't use whirlpool; it is "recommended by NESSIE and ISO"
as a hash function, but as a password hash. CWE916 recommends "bcrypt,
scrypt, and PBKDF2" specifically for password hashing.
To be clear, I have nothing against the Whirlpool hash algorithm itself:
it's got a long pedigree with a decent amount of cryptoanalysis. It's just
the extension to password hashing which is nonstandard. If you wanted to
use Whirlpool as a password hash, you should apply it as part of PBKDF2,
which is parameterizable. That would be a reasonable way to distinguish
the WMF hash to avoid general attacks without inventing new cryptography.
The default PRF for PBKDF2 is HMAC-SHA-1; you would be replacing this with
HMAC-Whirpool. This would be much preferable to using str_repeat+Whirlpool.
--scott
On Wed, Feb 5, 2014 at 10:00 PM, Marc A. Pelletier <marc(a)uberbox.org> wrote:
On 02/05/2014 09:34 PM, Tim Starling wrote:
Maybe Chris's phrasing misled you: I
didn't invent the Whirlpool
algorithm
And so it did; something a quick google would have revealed. In my
defense, "The Whirlpool algorithm by Tim" was pretty convincing
attribution. :-)
I'd need to read up on that algorithm a bit before I have an opinion on
whether length-extension attacks are not an issue with it (which is
often particularly nasty when the message repeats or is cyclical). Most
hashes fare better by prepending a nonce as salt than they do by padding
or repeating.
-- Marc
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
(
http://cscott.net)