Re: programming advice, calculating a sha256 hash
Nathan Coulson <conathan <at> gmail.com>
2011-07-12 19:22:39 GMT
On Tue, Jul 12, 2011 at 2:03 AM, Andy Bennett <andyjpb <at> ashurst.eu.org> wrote:
>> Probably not the normal use for this channel, but *shrug*, can't hurt.
>> I was attempting to code a sha256 hash function, for hashing a
>> password before sending it over the open net. (Sounds like it's
>> better then md5 for this)
>> getting started, I found some psedocode at
>> http://en.wikipedia.org/wiki/SHA2 and went to work.
>> decided a blank string would be the best,
>> It gives me
>> but according to wikipedia above, it should be
> As you've not included the code I can't really help but I thought you
> might like to have a read of these in relation to passwords and hashing:
> Hashing secrets, salting and MAC
> <at> ndy
could have sworn I attached it (also, finally fixed it this morning,
had the h+=a; h+=b; in the loop, when it was suppose to be after
the loop, as well as some endian issues with the data. At least it
Thanks for the links, new territory for me at the moment. (and while
I hate to say it, my first solution's probably not going to be the
(originally planning on md5, but sha2 sounded like a more secure solution. )
I wanted to use it for client/server login's between 2 C programs.
Looks like doing some research on hmac-sha256 would have some benefit.
Fingerprints on files, sha256 should serve this fine.
also tossing around the idea of doing a hash on each packet (something
quick & simple). A way to identify it was most likely something I
should process. [or put some pattern into the packet...]. That way,
if some random program like firefox connected to the server, then It
is aware of it. Not sure if a hash is good, or if I should just toss
in a pattern like 0xa8e2 in the packet as a fingerprint.
server has the sha256 hash'd password
client has the sha256 hash'd password
server generates 64bit of random data as a key, send to client.
2 64bit array's, o_key_pad, and i_key_pad, filled with 0x5c and 0x36
xor w/ key
return sha256(o_key_pad || hash(i_key_pad || sha256_password));
wonder if there is a way around sending the key from the server to the
client... (This key would be unique for each client, discarded when
logged out). My main concern is that the password cannot be generated
from the data sent from the client to the server.
Nathan Coulson (conathan)
Location: British Columbia, Canada
Timezone: PST (-8)
Unsubscribe: See the above information page