Hashed password behaviour
Hello all, what sort of crazy bug would make Tor give different hashes for the same password? $ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3). (on OSX 10.4). GD
Here is an excerpt from the “Tor control protocol" If the 'HashedControlPassword' option is set, it must contain the salted hash of a secret password. The salted hash is computed according to the S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier. This is then encoded in hexadecimal, prefixed by the indicator sequence "16:". Thus, for example, the password 'foo' could encode to: 16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2 3116 <https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n3116>
On Oct 14, 2017, at 5:33 PM, Geoff Down <geoffdown@fastmail.net> wrote:
Hello all, what sort of crazy bug would make Tor give different hashes for the same password?
$ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3).
(on OSX 10.4). GD _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 14 Oct 2017, at 20:33, Geoff Down <geoffdown@fastmail.net> wrote:
Hello all, what sort of crazy bug would make Tor give different hashes for the same password?
$ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3).
This is normal behaviour for salted hashes. T
On Sun, Oct 15, 2017, at 01:51 AM, teor wrote:
On 14 Oct 2017, at 20:33, Geoff Down <geoffdown@fastmail.net> wrote:
Hello all, what sort of crazy bug would make Tor give different hashes for the same password?
$ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3).
This is normal behaviour for salted hashes.
But which one then goes in the torrc? And how then can the password sent to the control port be matched if its hash changes? Surely a salted hash has to use the same salt every time? GD
On 15 Oct 2017, at 07:26, Geoff Down <geoffdown@fastmail.net> wrote:
On Sun, Oct 15, 2017, at 01:51 AM, teor wrote:
On 14 Oct 2017, at 20:33, Geoff Down <geoffdown@fastmail.net> wrote:
Hello all, what sort of crazy bug would make Tor give different hashes for the same password?
$ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3).
This is normal behaviour for salted hashes.
But which one then goes in the torrc?
Either. If one doesn't work, that's a bug (or there's an extra space in the password).
And how then can the password sent to the control port be matched if its hash changes?
HashedControlPassword contains algorithm,salt,hash(algorithm,salt,password) The password is hashed with the salt using an algorithm, and the hash is matched against hash(algorithm,salt,password).
Surely a salted hash has to use the same salt every time?
No, it's precisely the opposite: a salted hash provides protection *because* it uses a different salt every time. This protects against rainbow tables, which contain hashes of common password strings (or in some cases, all sufficiently short strings). Some background that may be helpful: https://en.m.wikipedia.org/wiki/Salt_(cryptography) T
On Sun, Oct 15, 2017, at 12:49 PM, teor wrote:
On 15 Oct 2017, at 07:26, Geoff Down <geoffdown@fastmail.net> wrote:
On Sun, Oct 15, 2017, at 01:51 AM, teor wrote:
On 14 Oct 2017, at 20:33, Geoff Down <geoffdown@fastmail.net> wrote:
Hello all, what sort of crazy bug would make Tor give different hashes for the same password?
$ tor --hash-password hello 16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC $ tor --hash-password hello 16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884 $ tor --version Tor version 0.3.1.7 (git-6babd3d9ba9318b3).
This is normal behaviour for salted hashes.
But which one then goes in the torrc?
Either. If one doesn't work, that's a bug (or there's an extra space in the password).
Right, got it - the salt is stored in that string too. My password stopped working, so I was trying to check the hash and of course got a different result. That leaves the original puzzle of why the password stopped working...Thanks!
participants (3)
-
Geoff Down -
Jacki M -
teor