programming advice, calculating a sha256 hash

Probably not the normal use for this channel, but *shrug*, can't hurt.

I was attempting to code a sha256 hash function, for hashing a
password before sending it over the open net.  (Sounds like it's
better then md5 for this)

getting started, I found some psedocode at
http://en.wikipedia.org/wiki/SHA2 and went to work.

decided a blank string would be the best,

It gives me
74525b2e06b6cfebaa347250d2a6c6c9a5438fbbd4b44ffefe68dcdd7b1d1206

but according to wikipedia above, it should be
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

-- 
Nathan Coulson (conathan)
------
Location: British Columbia, Canada
Timezone: PST (-8)
Webpage: http://www.nathancoulson.com

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: programming advice, calculating a sha256 hash

Hi,

> Probably not the normal use for this channel, but *shrug*, can't hurt.
> 
> I was attempting to code a sha256 hash function, for hashing a
> password before sending it over the open net.  (Sounds like it's
> better then md5 for this)
> 
> getting started, I found some psedocode at
> http://en.wikipedia.org/wiki/SHA2 and went to work.
> 
> decided a blank string would be the best,
> 
> It gives me
> 74525b2e06b6cfebaa347250d2a6c6c9a5438fbbd4b44ffefe68dcdd7b1d1206
> 
> but according to wikipedia above, it should be
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

As you've not included the code I can't really help but I thought you
might like to have a read of these in relation to passwords and hashing:

Hashing secrets, salting and MAC
http://benlog.com/articles/2008/06/19/dont-hash-secrets/

bcrypt
http://www.usenix.org/events/usenix99/provos/provos_html/node1.html

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

Re: programming advice, calculating a sha256 hash

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: programming advice, calculating a sha256 hash

On Tue, Jul 12, 2011 at 2:03 AM, Andy Bennett <andyjpb <at> ashurst.eu.org> wrote:
> Hi,
>
>> Probably not the normal use for this channel, but *shrug*, can't hurt.
>>
>> I was attempting to code a sha256 hash function, for hashing a
>> password before sending it over the open net.  (Sounds like it's
>> better then md5 for this)
>>
>> getting started, I found some psedocode at
>> http://en.wikipedia.org/wiki/SHA2 and went to work.
>>
>> decided a blank string would be the best,
>>
>> It gives me
>> 74525b2e06b6cfebaa347250d2a6c6c9a5438fbbd4b44ffefe68dcdd7b1d1206
>>
>> but according to wikipedia above, it should be
>> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
>
> As you've not included the code I can't really help but I thought you
> might like to have a read of these in relation to passwords and hashing:
>
> Hashing secrets, salting and MAC
> http://benlog.com/articles/2008/06/19/dont-hash-secrets/
>
> bcrypt
> http://www.usenix.org/events/usenix99/provos/provos_html/node1.html
>
> http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
>
>
>
>
> Regards,
>  <at> ndy

could have sworn I attached it (also, finally fixed it this morning,
found a javascript version, so I compared our variables each
iteration).

had the h[0]+=a; h[1]+=b; in the loop, when it was suppose to be after
the loop, as well as some endian issues with the data.  At least it
works

Thanks for the links,  new territory for me at the moment.  (and while
I hate to say it, my first solution's probably not going to be the
best).

 (originally planning on md5,  but sha2 sounded like a more secure solution.  )

I wanted to use it for client/server login's between 2 C programs.
Looks like doing some research on hmac-sha256 would have some benefit.

Fingerprints on files, sha256 should serve this fine.

also tossing around the idea of doing a hash on each packet (something
quick & simple).  A way to identify it was most likely something I
should process.  [or put some pattern into the packet...].  That way,
if some random program like firefox connected to the server, then It
is aware of it.  Not sure if a hash is good, or if I should just toss
in a pattern like 0xa8e2 in the packet as a fingerprint.

hmac, hmm...
server has the sha256 hash'd password
client has the sha256 hash'd password

server generates 64bit of random data as a key, send to client.

on client&server
2 64bit array's, o_key_pad, and i_key_pad, filled with 0x5c and 0x36
xor w/ key
return sha256(o_key_pad || hash(i_key_pad || sha256_password));

wonder if there is a way around sending the key from the server to the
client...  (This key would be unique for each client, discarded when
logged out).  My main concern is that the password cannot be generated
from the data sent from the client to the server.

-- 
Nathan Coulson (conathan)
------
Location: British Columbia, Canada
Timezone: PST (-8)
Webpage: http://www.nathancoulson.com

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: programming advice, calculating a sha256 hash

On Tue, Jul 12, 2011 at 3:53 AM, simon.willcocks <at> t-online.de
<simon.willcocks <at> t-online.de> wrote:
> Can't you just use this, from coreutils?  Or re-use their code.
>
>
>
> knoppix <at> Microknoppix:~$ sha256sum --version
> sha256sum (GNU coreutils) 8.4
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Ulrich Drepper, Scott Miller, and David Madore.
> knoppix <at> Microknoppix:~$ echo -n '' | sha256sum
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -
> knoppix <at> Microknoppix:~$

true, but this is more research then functionality.

-- 
Nathan Coulson (conathan)
------
Location: British Columbia, Canada
Timezone: PST (-8)
Webpage: http://www.nathancoulson.com
--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: lfs-chat Digest, Vol 1200, Issue 1

Hi,

> could have sworn I attached it (also, finally fixed it this morning,
> found a javascript version, so I compared our variables each
> iteration).

Ah! Perhaps I didn't get it because I'm set up for digest rather than
individual mails.

> (originally planning on md5,  but sha2 sounded like a more secure
> solution.  )

Yeah. With SHA the hash is unlikely to be the weakest part of your
solution as a whole.

> I wanted to use it for client/server login's between 2 C programs.
> Looks like doing some research on hmac-sha256 would have some benefit.

Perhaps you might enjoy reading up on some of the other worse or better
designed password negotiation algorithms such as CRAM-MD5 / LOGIN /
PLAIN / LANMAN, etc. Cyrus SASL (whilst a complete pain to actually
install and use) has implementations and documentation around almost all
of the common ones.

> Fingerprints on files, sha256 should serve this fine.

Agreed. Tiger is also a good one for this.

> also tossing around the idea of doing a hash on each packet (something
> quick & simple).  A way to identify it was most likely something I
> should process.  [or put some pattern into the packet...].  That way,
> if some random program like firefox connected to the server, then It
> is aware of it.  Not sure if a hash is good, or if I should just toss
> in a pattern like 0xa8e2 in the packet as a fingerprint.

Magic numbers (such as 0xa8e2) are often used to signal proposed
validity so that's a good approach to the problem of initially filtering
packets.

Once you've received your packet you might want to determine whether
it's corrupt. A CRC is more suited to that task than a cryptographic
hash. They don't have non-reversible cryptographic properties but
they're designed to be fast and their outputs small.

http://en.wikipedia.org/wiki/Cyclic_redundancy_check

The FNV (non cryptographic) hash may also be worth a look

http://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function

> wonder if there is a way around sending the key from the server to the
> client...  (This key would be unique for each client, discarded when
> logged out).  My main concern is that the password cannot be generated
> from the data sent from the client to the server.

See the note about regarding password negotiation algorithms.

Regards,
 <at> ndy

-- 
andyjpb <at> ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

dpkg and LFS

Hello all,

I've just finished off LFS 6.8 with dpkg 1.15.8.10 as the package
manager.  It's my pet project, although using dpkg does add another layer of
complexity.  Over the course of doing this, I created a shell script to help out
with runtime dependencies and would like to share it with you.  I figure
that there's an outside chance someone else might get some use out of
it.  Of course, suggestions are always welcome.

---*---*---

#!/bin/sh
set -e

# dep.sh: Shell script to help out with dependencies
# Created by Andrew Elian <e_lion_1 <at> hotmail.com>
# 
# Copyright ???? Who'd want to copy this anyway ???? 2010
# Okay, then GPL it is.
#
# There are *official* debian tools which look like they do the same thing.
# Hmmm.  Might have to look into those
# 
# Needs a DEPFILE, dpkg and the usual command line tools
# to work correctly
#
# DEPFILE is a flat text file with the listing of
# deb packages installed and their respective deb dep
# eg. essential-files_0.1_amd64.deb: essential-files (= 0.1)

DEPFILE="/usr/share/dLFS/Dependencies"

if [ $1 = "-h" ]; then
      echo "dep.sh, the dpkg dependency finder version 0.3"
      echo "Finds all runtime dependencies in current directory: dep.sh"
      echo "Finds all runtime dependencies of app or shared object: dep.sh foo"
      exit 0
fi

if  [ "$1" = "" ]; then
  echo "Finding shared libs and executables"
  process=$(
    for A in $(find . | xargs file |grep -e "executable" -e "shared" | grep ELF | cut -f 1 -d:)
      do
        objdump -p $A |
        grep NEEDED |
        cut -d ' ' -f 18 # Use just the name
    done
  )
else
  process=$(objdump -p "$1" |grep NEEDED | cut -d ' ' -f 18)
fi

# Find which packages the libs and executables belong to
results(){
for package in $process
  do                                                                                                                       
    dpkg -S $package |                                                                                                     
      cut -d: -f1 |
        sort -u >> /tmp/dep-tempfile.1
  done
}

# Get the dep part from Dependencies
compare(){
for C in $(sort -u /tmp/dep-tempfile.1)
  do
    grep -i "${C}_" $DEPFILE |
      grep -v '#' | # ignore lines with hash marks - are comments
        cut -d : -f 2 >> /tmp/dep-tempfile.2
  done
}

# Tidy up the output. sed adds a comma, xargs puts it into one line 
# and then sed takes just the last comma off
output(){
sed 's/)/),/' /tmp/dep-tempfile.2 | xargs | sed 's/\(.*\)./\1/'
}

clean(){
  rm /tmp/dep-tempfile.1 /tmp/dep-tempfile.2
}

### Main Program ###
echo "Getting Results"
results
echo "Comparing against $DEPFILE"
compare
echo
output
echo
echo "Cleaning up"
clean
echo "All Done!"

---*---*---

Cheers,
ae
-- 
My Blog: http://elian001.wordpress.com
--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Package management idea

First of all, please accept my apologies if what I'm about to write 
seems rather incoherent or is just plain impractical - I'm not a linux 
guru (candidate for 'Understatement of the Year' there  ) and don't 
really know what I'm talking about 

Anyway...

I've been thinking about package management and, having read the hints, 
I feel that a combination of package users and fakeroot fits my needs 
the best.  However, there seem to be a few problems with fakeroot and 
packages hardcoding directories into the compiled programs so...

Is it possible/feasible/(desirable?) to install the tools needed to 
compile and install a package into a directory other than the norm (say 
/fr/≤whatever> for 'fakeroot') and then create links in the appropriate 
places to the installed files (so that the system doesn't start 
complaining when they aren't where it expects them to be).  You could 
then chroot into the /fr folder to compile/install the package as normal 
and then copy the files you want over into the 'real' system after 
verifying that the install has gone OK and not done anything nasty to 
the system.

Does that even make sense?

David Shaw
--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: Package management idea

Probably bad form to reply to my own post, but, hey...

Actually, while I think this idea has merit, there is a flaw which can 
be summed up in one word.

Dependencies.

I'll go away and think a little more about it.

David Shaw

On 24/07/11 15:39, David Shaw wrote:
> First of all, please accept my apologies if what I'm about to write
> seems rather incoherent or is just plain impractical - I'm not a linux
> guru (candidate for 'Understatement of the Year' there  ) and don't
> really know what I'm talking about 
>
> Anyway...
>
> I've been thinking about package management and, having read the hints,
> I feel that a combination of package users and fakeroot fits my needs
> the best.  However, there seem to be a few problems with fakeroot and
> packages hardcoding directories into the compiled programs so...
>
> Is it possible/feasible/(desirable?) to install the tools needed to
> compile and install a package into a directory other than the norm (say
> /fr/≤whatever>  for 'fakeroot') and then create links in the appropriate
> places to the installed files (so that the system doesn't start
> complaining when they aren't where it expects them to be).  You could
> then chroot into the /fr folder to compile/install the package as normal
> and then copy the files you want over into the 'real' system after
> verifying that the install has gone OK and not done anything nasty to
> the system.
>
> Does that even make sense?
>
> David Shaw

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: Package management idea

Hi,

> First of all, please accept my apologies if what I'm about to write 
> seems rather incoherent or is just plain impractical - I'm not a linux 
> guru (candidate for 'Understatement of the Year' there  ) and don't 
> really know what I'm talking about 
> 
> Anyway...
> 
> I've been thinking about package management and, having read the hints, 
> I feel that a combination of package users and fakeroot fits my needs 
> the best.  However, there seem to be a few problems with fakeroot and 
> packages hardcoding directories into the compiled programs so...
> 
> Is it possible/feasible/(desirable?) to install the tools needed to 
> compile and install a package into a directory other than the norm (say 
> /fr/≤whatever> for 'fakeroot') and then create links in the appropriate 
> places to the installed files (so that the system doesn't start 
> complaining when they aren't where it expects them to be).  You could 
> then chroot into the /fr folder to compile/install the package as normal 
> and then copy the files you want over into the 'real' system after 
> verifying that the install has gone OK and not done anything nasty to 
> the system.
> 
> Does that even make sense?

Check out encap and epkg if you haven't already.

Regards,
 <at> ndy

-- 
andyjpb <at> ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF

--

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page