--- "Kuchler, David" <[EMAIL PROTECTED]> wrote:
> Curtis,
>
> Maybe this is a dumb question from the encryption-ignorant, but why wouldn't
> you want $rand to change? I would think that the more randomness you
> introduce, the more effective the encryption. I am aware that the idea of a
> hash function is ideally twofold: The original values should be effectively
> impossible (or just very very difficult) to derive from the hash, and small
> changes in the input data should (I believe) cause large changes in the hash
> value. Please correct me if I've got a fundamental misunderstanding here,
> because I have just enough knowledge to make a fool of myself.
David, you have the basic idea correct, so I may have explained myself poorly. Having
$rand
change is fine, so long as it's *not* changed when regenerating a digest for a
particular
password. For example, consider this code to add a new user to a database:
#!/usr/bin/perl -w
use strict;
use Digest::MD5 qw ( md5_base64 );
my $rand = 'yed*73=1/+#@%d';
my $user = 'joe_user';
my $pass = 'secret';
my @data = ($rand, $pass);
my $encrypted_pass = md5_base64( @data );
# pretend this sub call adds the user to the database
add_to_users( $user, $encrypted_pass );
Later, if you try to recompute the hash for *the same* user with a *different* $rand,
the hash
won't match and you won't be able to authenticate the user.
You could use a different $rand for each user, so long as each and every time a hash
is generated,
the same $rand is used for the same data for which you are creating the hash. Therein
lies the
problem: how do you create $rand? If you have a poor algorithm generating the $rand,
and you
can't generate the same $rand for the same data every time, you cannot retrieve your
data.
Managing a different $rand for every user would be difficult. However, as you pointed
out, it
would be more secure so long as you can protect the $rand value from prying eyes (as
my short
snippet does not).
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
