From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 09:56:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B60D16A485 for ; Tue, 10 Jul 2007 09:56:04 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from mx3.netclusive.de (mx3.netclusive.de [89.110.132.133]) by mx1.freebsd.org (Postfix) with ESMTP id 9E6E213C480 for ; Tue, 10 Jul 2007 09:56:03 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from nermal.rz1.convenimus.net (c-134-227-243.d.dsl.de.ignite.net [62.134.227.243]) (Authenticated sender: ncf1534p2) by mx3.netclusive.de (Postfix) with ESMTP id 530056059F5 for ; Tue, 10 Jul 2007 11:28:12 +0200 (CEST) Received: by nermal.rz1.convenimus.net (Postfix, from userid 8) id 1307D15213; Tue, 10 Jul 2007 11:28:10 +0200 (CEST) To: freebsd-security@freebsd.org Path: not-for-mail From: Christian Baer Newsgroups: gmane.os.freebsd.security.general Date: Tue, 10 Jul 2007 11:28:10 +0200 (CEST) Organization: Convenimus Projekt Lines: 51 Message-ID: NNTP-Posting-Host: garfield.rz1.convenimus.net X-Trace: nermal.rz1.convenimus.net 1184059690 79039 192.168.100.11 (10 Jul 2007 09:28:10 GMT) X-Complaints-To: abuse@convenimus.net NNTP-Posting-Date: Tue, 10 Jul 2007 09:28:10 +0000 (UTC) User-Agent: slrn/0.9.8.1 (FreeBSD) Subject: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 09:56:04 -0000 Hello Folks! For a special application I needed to create digests (or hashes) using the whirlpool algorithem. It was kind of hard to find something that actually did that. But I found digest in the ports tree - ok, with some help from someone who seemed to know what to look for. :-) What irritates me is the Wikipedia-page on Whirlpool: http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 There is a chance that the author of the article messed up somehow but when you are handling sensitive stuff, chances aren't really the things you want to take. My irritations in detail: My zero-hash is the same as the example shown for whirlpool (whirlpool-2). That's a good sign so far. My hash for "The quick brown fox jumps over the lazy dog" is: 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 And that is nowhere near the examples shown in the article. The same basic thing applies for the change of "dog" to "eog". My hashes are completely different - as in "no chance the hashes were transfered by typing and a typo snuck in". I've tried changing the first letter to a small 't' in case the author didn't hash the sentence with a capital, but that didn't resolve the problem, nor did adding a full stop. I even added the quotes to the string that whirlpool digested - didn't change anything. I know I could try changing the input until kingdom come without finding the error, so I left it at that. I could however verify (using a few tests, if you want to call that "veryfying") that the results were the same on both i386 and sparc64 plattforms - but since the port was taken from NetBSD, there aren't any surprises in that. Just to make things a little more complex, I encoded "Telegraph Road" off one of my Dire Straits CDs to mp3, hashed that with digest and compared the hash to the result a friend of mine got with Jacksum[1] on a Windows box. These were the same and Jacksum says the algorithm is WHIRLPOOL-2 (which is usually named without the number). This may be only a small irritation but since we are talking about a security issue, I don't want to dismiss it too easily either. Are there any opinions to this out there? Regards Chris [1] http://www.jonelo.de/java/jacksum/