Re: Encrypted column - Mailing list pgsql-general

From Brian Mathis
Subject Re: Encrypted column
Date
Msg-id 183c528b0706050822t64a067aeg74d4190ae2a51807@mail.gmail.com
Whole thread Raw
In response to Re: Encrypted column  ("Marko Kreen" <markokr@gmail.com>)
Responses Re: Encrypted column
List pgsql-general
On 6/5/07, Marko Kreen <markokr@gmail.com> wrote:
> On 6/5/07, Marko Kreen <markokr@gmail.com> wrote:
> > both md5 and sha1 are actually easier to bruteforce than
> > the old DES-based crypt.
>
> If this statement seems weird - the problem is the speed.
> MD5 and SHA1 are just faster algorithms than des-crypt.
>
> And there's nothing wrong with fast general-purpose algorithms,
> as long their cryptographic properties hold.  Starting from
> 20-30 bytes the bruteforce is really not an option.
>
> But if you have under 10 bytes (let be honest - you have
> 6 bytes...) the speed start to matter, because it is possible
> on random laptop to simply try all combinations.
>
> --
> marko
>

pgcrypto also supports md5, so I'm not sure what you're referring to
here.  As I already mentioned, *salting* before you hash is a very
important step.  I'm not sure if you saw that in my post.  Without a
salt, it's trivial to generate a list of all combinations of md5'd
strings and their results, up to reasonable lengths.  Then it would be
very simple to look up each hash and get the original text.  With a
salt, you need to generate all possible md5s for all possible salts --
a much harder task.

In any case, pgcrypto seems to be a nice and full featured tool, so
one should use that instead of rolling their own.

pgsql-general by date:

Previous
From: volunteer@spatiallink.org
Date:
Subject: lo or bytea streaming engine??
Next
From: Andrew Sullivan
Date:
Subject: Re: Encrypted column