[cryptography] Oddity in common bcrypt implementation
James A. Donald
jamesd at echeque.com
Wed Jun 29 14:36:09 EDT 2011
On 2011-06-29 7:01 PM, Ian G wrote:
> On 28/06/11 1:01 PM, Paul Hoffman wrote:
>> And this discussion of ASCII and internationalization has what to do
>> with cryptography,
> I personally think this list is about users of crypto, rather than
> cryptographers-creators in particular. The former are mostly computer
> scientists who think in block-algorithm form, the latter are more the
> As a crypto-plumber (computer science user of crypto) I think it is
> impossible to divorce crypto from all the other security techniques. All
> the way up the stack.
Crypto plumbing is on topic. Thus password normalization is on topic.
One problem with unicode is that identical characters often have
multiple codes, one for each character meaning.
Also, characters that are in some sense composite may be represented
both as two characters, or as a single character.
Thus the exact same password string, in visible symbols, may have
multiple codes. The user types what he reasonably believes to be the
password, but it does not work!
Thus the password has to be normalized before being hashed.
Further, often a variants of a single character with a single meaning
also have multiple codes - there is no sharp boundary between the
string, and formatting information, though this is more a problem for
unicode searching, than for unicode passwords.
More information about the cryptography