Re: Key fingerprints (not the DNS kind)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, Nov 9, 2014 at 7:11 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> On Mon, 10 Nov 2014, Damien Miller wrote:
>
>> I'm not so concerned about how to display the new fingerprints. Say
>> we choose SHA512/224, which yields a 28 byte hash. Rendering this as
>> base64 gives us a 38 character string, well shorter than our current
>> key fingerprints. (e.g. "GIeKHpiBrP7zaEf7Blicgvez5JceCBfSaESlkA")
>
> Actually, better still would be embeddeding an algorithm identifier at
> the start of the hash, i.e. "A:GIeKHpiBrP7zaEf7Blicgvez5JceCBfSaESlkA"
> in case some time in the distant future we need to rotate away from
> whatever we choose to replace MD5.
>

That's always a good idea, but try not to reinvent the wheel too much
here: http://hashcat.net/wiki/doku.php?id=example_hashes
There's no m5(sha512(word)) but $foo$fpr or $foo$host$fpr should maybe be used?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux