Hello,
I am about 60% finished with an application I am writing in PHP and
C for OpenSBD to dynamically (re)set pf rules (actually the system
will later be able to send not only pf commands but also any command
line argument to the server) and had a question redgarding hashes
used as tokens as I am not very good when it comes to cryptographic
theory.
The scheme I have designed/implemented takes a username and formatted time
(strips seconds and devides minutes into "t" parts), concatenates the two
strings together and then hashes them. I then take the resulting hash and
hash it using a one time key. That resulting hash is a 40 character hex
string. This is of course to long for the user to input so I then devide
the hash into octets, randomly select one octet and append the octet
position (1-5) to the end of the selected octet thus leaving a 9 char hex
token. This is what the user uses to login/authenticate the commands. The
token is only valid for "t" minutes. The receiving server has a copy of
the "one use" keys-file and thus can calculate the hash/token itself as
long as the user logs in using the token within the prescribed time "t"
else the hash will be different.
Now my question. Disregarding the randomness (weak or strong source) and
speaking in general terms how much of a compromise is it to do what I did
in splitting the token? Does it make the system much weaker as the user
only uses 8 of the 40 characters. Would it make a difference if I instead
of deviding the hash into sequential octets for the token; used say every
fifth character for the first token and so on?
I know this might be a bit vague and there are many factors that determine
the "strength" of this scheme, liek the security of the key-files, but
considering only the way I use the hash and final token is it much of a
compromise to the strength? I don't know maybe it's not possible to
answer!? Anyhow greatful for any input. Thanks.
// Jorgen
********************************************
** Jorgen Boberg **
** Managing Director & Senior Consultant **
** Intellibit Consulting SIA **
** Krisjana Barona Iela 37/30 **
** LV-1011, Riga **
** Latvia **
********************************************
** Tel: +371 83 80 803 **
** Email: [EMAIL PROTECTED] **
********************************************
********************************************
** Jorgen Boberg **
** Managing Director & Senior Consultant **
** Intellibit Consulting SIA **
** Krisjana Barona Iela 37/30 **
** LV-1011, Riga **
** Latvia **
********************************************
** Tel: +371 83 80 803 **
** Email: [EMAIL PROTECTED] **
********************************************
