Hacker News new | ask | show | jobs
by tptacek 145 days ago
I have no idea who they are or what they were talking about. I think they're thinking about 3DES used as a password hash. I never in 100 years would have guessed that's where they were coming from.

The thread that ensued, a discussion of what it means for a cipher to be obsoleted or unsafe versus "broken", is an actually-interesting question.

I feel pretty OK about how this went.
1 comments
gjurhgd 145 days ago
You could never, in a million years, have guessed by "broken" they meant "it can be decrypted by the public with little effort?" I doubt that. I see no evidence they are talking about a password hash. Here's what they actually cited:

> The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, ...

They're clearly talking about it's use as a cipher. Again, someone who has been here as long as you have should understand that you shouldn't put words in their mouth or be evasive in this way.

The conversation would still have touched on these interesting topics, and would likely have done so more immediately.

link
tptacek 145 days ago
Do we have conflicting premises about what Hashcat is? I'm pretty sure you're just wrong here.
link
gjurhgd 145 days ago
Do we have conflicting premises about what SSH is? I'm pretty sure you're dodging and deflecting from the actual issues here.

They were clearly suggesting that there exists a publicly available tool to attack this algorithm. They clearly didn't care one way or the other about whether it was used in passwords. What they actually cited was vulnerabilities in network services.

You are being disingenuous. Cut it out.

link
tptacek 145 days ago
What are you talking about? No there isn't. There is no "publicly available tool to attack 3DES". Hashcat is a password cracker. You know what else it supports? AES. Is AES broken?
link
gjurhgd 144 days ago
It's very difficult for me to imagine a way you could have read my remarks in good faith and come to that conclusion. I hope someday you figure this out, I guess I have no hope of explaining it.
link
tptacek 144 days ago
Here's a simple question. When you said:

They were clearly suggesting that there exists a publicly available tool to attack this algorithm.

What were you referring to? If it was Hashcat, then I have just one more question:

Is Hashcat a publicly available tool that attacks AES?

link