Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-04-21 18:24:16 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

*@hobnobbob.com is unlikely to be guessed

Browse source
This commit is contained in:
Andrew Morgan 2019-07-25 19:03:43 +01:00
parent 0ac70b268a
commit 6119b9a50d
1 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
proposals/2134-identity-hash-lookup.md
View file

@ -34,9 +34,9 @@ The rainbow table attack is not perfect, because one does need to know email
addresses and phone numbers to build it. While there are only so many addresses and phone numbers to build it. While there are only so many
possible phone numbers, and thus it is relatively inexpensive to generate the possible phone numbers, and thus it is relatively inexpensive to generate the
hash value for each one, the address space of email addresses is much, much hash value for each one, the address space of email addresses is much, much
wider. If your email address is decently long and is not publicly wider. If your email address is not share a common mailserver, decently long
known to attackers, it is unlikely that it would be included in a rainbow or is not publicly known to attackers, it is unlikely that it would be
table. included in a rainbow table.
Thus the approach of hashing, while adding complexity to implementation and Thus the approach of hashing, while adding complexity to implementation and
resource consumption of the client and identity server, does provide added resource consumption of the client and identity server, does provide added
@ -306,8 +306,9 @@ for the `v1` endpoints, and are strongly encouraged to warn the user of this.
Hashes are still reversible with a rainbow table, but the provided pepper, Hashes are still reversible with a rainbow table, but the provided pepper,
which can be rotated by identity servers at will, should help mitigate this. which can be rotated by identity servers at will, should help mitigate this.
Phone numbers (with their relatively short possible address space of 12 Phone numbers (with their relatively short possible address space of 12
numbers), short email addresses, and addresses of both type that have been numbers), short email addresses at popular domains, and addresses of both
leaked in database dumps are more susceptible to hash reversal. type that have been leaked in database dumps are more susceptible to hash
reversal.
Mediums and peppers are appended to the address as to prevent a common prefix Mediums and peppers are appended to the address as to prevent a common prefix
for each plain-text string, which prevents attackers from pre-computing bits for each plain-text string, which prevents attackers from pre-computing bits