<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">From: "Francesco Albanese" <<a href="mailto:frances.albanese@gmail.com">frances.albanese@gmail.com</a>><br>
Hello,<br>
<br>
I have cleaned my code and I updated my patch with a new feature for<br>
salting the password.<br>
<br>
- The salt is generated collecting a timestamp for every valid<br>
keystroke supplied during password prompting: then, the least<br>
significant byte of each timestamp is XORed providing eventually a<br>
24bits seed for SHA256 function. The first 24bits of the generated<br>
context are used as the salt.<br>
<br>
- Even though I cannot claim that function is Bruce Schneier proof,<br>
the level of complexity added should provide a certain degree of<br>
security against rainbow tables (256bits secure hash, salt derived<br>
from "quite random" events like keystrokes, XOR is a statistical<br>
balanced function ...).<br>
<br>
This patch has been tested on GTA01BV04. It is stil unclear if it<br>
could work on FR (the twin bootloaders shall share the same ENV VARs).<br>
<br>
Comments are always welcome,<br>
<br>
Francesco Albanese<br></blockquote></div><br>Francesco, I highly recommend looking at <a href="http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx">http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx</a> for an analysis of various hashing algorithms. If you have a few sources of randomness and you hash them together with a good algorithm, that should be all you need.<br>
<br>To me, the Jenkins algorithm is the clear winner. The page I linked complains that it is significantly more difficult to implement, but it is still quite easy to implement since they give you a C implementation already :-) Computational complexity of an algorithm like that is utterly negligible on a processor of even a few KHz, much less 200 MHz+.<br clear="all">
<br>Bobby<br><br>-- <br>If it doesn't make you smile, you're doing something wrong.