First, a word of caution: Do not try this at home (unless you absolutely have to)!
When it comes to security, it is a good idea to use existing open algorithms that have been hammered on by scientists and crypto-crackers over the years and not some randomly thrown together piece of obfuscated code that might be as insecure as clear text.
In our case, we store passwords, and these are best hashed. A good hashing algorithm to use is SHA1, and so we tried to go with that one. Unfortunately if we want to hash at the client side (side note: We are now using TLS encryption) GWT needs to be able to translate the code into JavaScript. GWT doesn't implement getBytes of String, and so the hashing didn't work. Last resort: Create a very simple crypto cipher or create a new odd hashing algorithm. MECHA is the result of following the last approach, created on the basis that it will be "good enough".
It is at least better than some trivial substitution cipher.
MECHA is a bit of security through obscurity, and technically probably is a block cipher with hash properties. It is destructive in a way to prevent recovery of the original message, and it doesn't just substitute the letters, in order to prevent frequency analysis. A hash has the potential (but very unlikely) problem of collissions, and so does MECHA, even though it does not output a string of fixed length. It's computer science magic.
So now kids can, after having tapped into the TLS stream, now get an additional mathematical challenge of cracking MECHA, but even if they do figure out the inner workings of the algorithm, they can't get the password. Try reconstructing a finger from a hash of a fingerprint.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment