Date: Tue, 10 Jul 2007 11:28:10 +0200 (CEST) From: Christian Baer <christian.baer@uni-dortmund.de> To: freebsd-security@freebsd.org Subject: slight irritation using digest (from the ports) Message-ID: <f6vjfa$2d5v$1@nermal.rz1.convenimus.net>
next in thread | raw e-mail | index | archive | help
Hello Folks! For a special application I needed to create digests (or hashes) using the whirlpool algorithem. It was kind of hard to find something that actually did that. But I found digest in the ports tree - ok, with some help from someone who seemed to know what to look for. :-) What irritates me is the Wikipedia-page on Whirlpool: http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 There is a chance that the author of the article messed up somehow but when you are handling sensitive stuff, chances aren't really the things you want to take. My irritations in detail: My zero-hash is the same as the example shown for whirlpool (whirlpool-2). That's a good sign so far. My hash for "The quick brown fox jumps over the lazy dog" is: 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 And that is nowhere near the examples shown in the article. The same basic thing applies for the change of "dog" to "eog". My hashes are completely different - as in "no chance the hashes were transfered by typing and a typo snuck in". I've tried changing the first letter to a small 't' in case the author didn't hash the sentence with a capital, but that didn't resolve the problem, nor did adding a full stop. I even added the quotes to the string that whirlpool digested - didn't change anything. I know I could try changing the input until kingdom come without finding the error, so I left it at that. I could however verify (using a few tests, if you want to call that "veryfying") that the results were the same on both i386 and sparc64 plattforms - but since the port was taken from NetBSD, there aren't any surprises in that. Just to make things a little more complex, I encoded "Telegraph Road" off one of my Dire Straits CDs to mp3, hashed that with digest and compared the hash to the result a friend of mine got with Jacksum[1] on a Windows box. These were the same and Jacksum says the algorithm is WHIRLPOOL-2 (which is usually named without the number). This may be only a small irritation but since we are talking about a security issue, I don't want to dismiss it too easily either. Are there any opinions to this out there? Regards Chris [1] http://www.jonelo.de/java/jacksum/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f6vjfa$2d5v$1>