[PATCH] Adding password protection to U-boot: salted version

[Bobby Martin]

> From: "Francesco Albanese" <frances.albanese at gmail.com>
> Hello,
>
> I have cleaned my code and I updated my patch with a new feature for
> salting the password.
>
> - The salt is generated collecting a timestamp for every valid
> keystroke supplied during password prompting: then, the least
> significant byte of each timestamp is XORed providing eventually a
> 24bits seed for SHA256 function. The first 24bits of the generated
> context are used as the salt.
>
> - Even though I cannot claim that function is Bruce Schneier proof,
> the level of complexity added should provide a certain degree of
> security against rainbow tables (256bits secure hash, salt derived
> from "quite random" events like keystrokes, XOR is a statistical
> balanced function ...).
>
> This patch has been tested on GTA01BV04. It is stil unclear if it
> could work on FR (the twin bootloaders shall share the same ENV VARs).
>
> Comments are always welcome,
>
> Francesco Albanese
>

Francesco, I highly recommend looking at
http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx for an
analysis of various hashing algorithms.  If you have a few sources of
randomness and you hash them together with a good algorithm, that should be
all you need.

To me, the Jenkins algorithm is the clear winner.  The page I linked
complains that it is significantly more difficult to implement, but it is
still quite easy to implement since they give you a C implementation already
:-)  Computational complexity of an algorithm like that is utterly
negligible on a processor of even a few KHz, much less 200 MHz+.

Bobby

-- 
If it doesn't make you smile, you're doing something wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openmoko.org/pipermail/openmoko-devel/attachments/20080616/e928eb16/attachment.htm