samiux

你SHARE既ARTICLE 幾好...
佢既意思係話加SALT都係唔SECURE...
但你要諗 0下 係基於 0羊 SITUATION 先...

...
dsscss 發表於 2014-9-1 21:34

As I said before, it involves performance vs security.  Basically, the HKID card number policy is too simple to predict as it is Module 11.

Samiux

dsscss

你都係唔明...
你用呢D TOOLS之前點都要PREDICT條FORMULA係點樣組成...
你撞中條FORMULA先算CRACK到...

係SHA256(SALT || REVERSE(ID_NUMBER))
定係SHA256(SALT || ID_NUMBER)
定係SHA256(SALT || SHA256(REVERSE(ID_NUMBER)))
定係SHA256(SALT || SAH256(ID_NUMBER))
定係SHA256(SHA256(SALT) || SAH256(ID_NUMBER))
定係用其他HASH FUNCTION...
等等等等咁多個...

同"the HKID card number policy is too simple to predict as it is Module 11"完全無關...

samiux

你都係唔明...
你用呢D TOOLS之前點都要PREDICT條FORMULA係點樣組成...
你撞中條FORMULA先算CRACK到...

係 ...
dsscss 發表於 2014-9-2 01:35

As far as I know, the 6.22 Civil Referendum website was written with PHP.  I am not an elite programmer.  Or I am not a programmer even I will write some hacking tools myself.

I do not know if PHP can apply XOR with HASH functions or not.  In my mind, the hash programming in PHP is something like this - http://code.tutsplus.com/tutoria ... rds-safe--net-17577 .

By the way, I already assumed that Mr. Benny Tai will not create a new algorithm or even will not apply a very complicate algorithm on the web application.  

Performance for the web application should be concerned for almost all the web application programmers.

The more complicate the encryption is, the slower the performance of the web application is.  

I admit that hacking is more or less a guessing game.

May be I am not answering your question as I do not know what I am saying.

Samiux

Update reason : fix typo

samiux

This article is dated Sept 1, 2014 - http://www.freebuf.com/articles/neopoints/42171.html

Samiux

wdtech

After reading your comment, I remembered that I have read a very interesting article - Speed Hashing ...
samiux 發表於 2014-9-1 04:27

After going through all your comments, I would still stand strong on my views - Please put more time and effort in understand what is cryptography. Emphasizing how fast can people crack a (salted) checksum (we call them signature in fact) is not productive.

Currently, many CPUs (x86, MIPS etc) implement instructions that accelerate encryption and signature's generation (e.g. AES NI). Generate hash, especially for just a short string, is not computationally demanding - A good code will work. Your android or iPhone can get the stuff (ok, you want SHA-2, bcrypt etc) done in a few milliseconds.

All the signature are subject to brute force attack. No exception. What we do is in fact get a signature algorithm candidate out (e.g. SHA-1 in 2008,SHA-2 in ~2016) which can defeat the foreseeable "cracking" efforts.

"As I said before, if oclhashcat use with HKID card number policy, the cracking time will be reduced a lot.  It is because the HKID card number policy is too simple."
Contact me if you want: 5630dc3b41a969e4eaa5a734e1d8f6ad40fdc987
Great hint: HKID with "( )" + space + telephone no. -> AES (CBC) -> SHA-1 (no salt)

Hope you get my points - Read/learn, think and practice. I teach when I write - this is my profession.

samiux

After going through all your comments, I would still stand strong on my views - Please put more ti ...
wdtech 發表於 2014-9-10 15:27

It sounds like you do not know what is web application programming and its requirement.  Meanwhile, you do not know what is GPU computing (or parallel computing).  I do not have any comment to you now.  Discussion terminated.

dsscss

回覆 45# wdtech

算啦...
有咁多個都用心良苦打一大篇文同佢講, 佢都係活係自己世界...

邊個講得 0岩 / 錯, 睇多D 大學LECTURE NOTES / 研究 0下 HASH / HASH KEY SIZE既PAPER就明,
成日話HACKER乜, HACKER物..
連讀U既SECURITY課程我 諗佢都未必上過,
唔識好難講....

samiux

I know that there are many strong encryption algorithm available.  However, the implementation is another thing.

Yoggi Berra says :

In theory, theory and practice are the same. In practice, they’re not.

I have read an article about implementation of strong encryption in communication software, such as email client.  It is not 100% related to this discussion, but it is worth to have a read :

(1) http://www.freebuf.com/articles/network/42692.html
(2) http://www.washingtonpost.com/bl ... prss=rss_ezra-klein

Samiux

Update reason : fix typo

～虎～

如果知道佢個Algorithm 又真係唔難解
最白癡 $hash = sha1($hkid . $phone); 的話
Enumerate哂所有Combination出來 一個Rainbow table就KO佢

加左Salt又唔同玩法... 每個Hash都唔同Salt, Rainbow table就廢武功
$salt = some_random_strong_salt_func();
$hash = $salt . ':' . combination_of_some_strong_hash_func($hkid, $phone, $salt);
CPU解又好, GPU解又好, Quantum Computer解都好 Cryptography從來都係時間問題...

樓主講HKID + Phone本身Data既Combination太少係事實
但佢地係咪真係用Weak Hash Algorithm只係推測

dsscss

回覆 49# ～虎～

>>HKID + Phone本身Data既Combination太少係事實
COMBINATION小 =/=容易CRACK.
可以SHA256(ID || ID || PHONE || PHONE)
又可以SHA256(ID || REVERSE(ID) || PHONE)
又可以....好似我只前講咁多COMBINATION...

你講到咁簡單..
不如我提供1萬個RAW DATA, 連埋個HASH 0左 既RESULT俾你,
你講返我用乜方法 0黎 做HASH吧.

過左一佪月, 你解到我就俾一萬你,
你解唔到就俾返一萬我,
好嗎?