[cryptography] Oddity in common bcrypt implementation

Marsh Ray marsh at extendedsubset.com
Tue Jun 28 13:43:19 EDT 2011

On 06/28/2011 12:01 PM, Paul Hoffman wrote:
> And this discussion of ASCII and internationalization has what to do
> with cryptography, asks the person on the list is who is probably
> most capable of arguing about it but won't? [1]

It's highly relevant to the implementation of cryptographic systems as 
Nico mentioned because interoperability depends on it and the nature of 
cryptographic authentication systems tends to obscure the problems.

Sometimes security vulnerabilities result. The old LM LanMan password 
hashing scheme uppercased everything for no good reason. Perhaps they 
did it out of the desire to avoid issues with accented lower case 

Look at these test vectors for PBKDF2:

None of them have the high bit set on any password character! Seems like 
there was a recent bcrypt implementation issue that escaped notice for a 
long time due to test vectors having this same property and some 
cryptographically weak credentials were issued as a result.

1 of 8 bits of the key material is strongly biased towards 0. This loss 
of entropy is especially significant when the entirety of the input is 
limited to 8 or so chars as is common.

Wow, this sounds a lot like the way 64-bit DES was weakened to 56 bits.

- Marsh

More information about the cryptography mailing list