0

For example, the hash value generated by sha-256 is directly used for a particular byte array like this.

void Run(CryptoArray& plain, CryptoArray& key)
{
  uint8_t *hash = Sha256::FromArray(key.getArray(), key.getSize());
  size_t round = plain.getSize() / 8;
  size_t remain = plain.getSize() % 8;
  for (size_t i = 0; i < round; i++)
    ((uint64_t *)plain.getArray())[i] ^= ((uint64_t *)hash)[i % 8];

  uint8_t *arr = plain.getArray() + round * 8;
  for (size_t i = 0; i < remain; i++)
    arr[i] ^= hash[i];
}

If the 2^2048-bit computer is invented(or using the biginteger) in the distant future, this problem is parallelized and can be easily solved. However, I know that both this simple-hash-crpyto function and the common cryptographic function are intended to make it difficult to get the most out of the password.

If so, have developers added several additional features to increase the time it takes to get your passwords using these feature(AES, DES, ...)? If not, is there a fatal problem with using the hash function alone? All the programs I saw did not use the hash function like this.

rollrat
  • 151
  • 13
  • 1
    Basically, you have a [stream cipher](https://en.wikipedia.org/wiki/Stream_cipher) with a very, very non-random keystream. – Igor Tandetnik Feb 22 '18 at 13:58
  • 1
    You also have a buffer overrun. You treat `hash` as an array of 8 64-bit values - that's 512 bit, whereas Sha-256 produces 256 bits (hence the name). – Igor Tandetnik Feb 22 '18 at 14:06
  • 2
    I don't understand what you're asking? Hashing and encryption are 2 fundamentally different forms of encoding data. They have different behaviours and different uses. Either way, your question has nothing to do with any specific language, regardless of your inclusion of C++ code. – Disillusioned Feb 22 '18 at 14:08
  • Sorry, I edited my question. – rollrat Feb 22 '18 at 14:13
  • 1
    You know there are dedicated [security](https://security.stackexchange.com/) and [crypto](https://crypto.stackexchange.com/) sister sites, right? This is in no way a programming question. – Useless Feb 22 '18 at 14:43
  • When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `Argon2`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend substantial of time finding passwords by brute force. – zaph Feb 22 '18 at 15:48

1 Answers1

2

I think reading up on the differences between Hashes and Encryption algorithms will be helpful.

user3112728
  • 395
  • 1
  • 12