[cryptography] Oddity in common bcrypt implementation

James A. Donald jamesd at echeque.com
Wed Jun 29 14:36:09 EDT 2011


On 2011-06-29 7:01 PM, Ian G wrote:
> On 28/06/11 1:01 PM, Paul Hoffman wrote:
>> And this discussion of ASCII and internationalization has what to do
>> with cryptography,
>
> I personally think this list is about users of crypto, rather than
> cryptographers-creators in particular. The former are mostly computer
> scientists who think in block-algorithm form, the latter are more the
> mathematicians.
>
> As a crypto-plumber (computer science user of crypto) I think it is
> impossible to divorce crypto from all the other security techniques. All
> the way up the stack.

Crypto plumbing is on topic.  Thus password normalization is on topic.

One problem with unicode is that identical characters often have 
multiple codes, one for each character meaning.

Also, characters that are in some sense composite may be represented 
both as two characters, or as a single character.

Thus the exact same password string, in visible symbols, may have 
multiple codes.  The user types what he reasonably believes to be the 
password, but it does not work!

Thus the password has to be normalized before being hashed.

Further, often a variants of a single character with a single meaning 
also have multiple codes - there is no sharp boundary between the 
string, and formatting information, though this is more a problem for 
unicode searching, than for unicode passwords.






More information about the cryptography mailing list