Hello Folks! For a special application I needed to create digests (or hashes) using the whirlpool algorithem. It was kind of hard to find something that actually did that. But I found digest in the ports tree - ok, with some help from someone who seemed to know what to look for. :-) What irritates me is the Wikipedia-page on Whirlpool: http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 There is a chance that the author of the article messed up somehow but when you are handling sensitive stuff, chances aren't really the things you want to take. My irritations in detail: My zero-hash is the same as the example shown for whirlpool (whirlpool-2). That's a good sign so far. My hash for "The quick brown fox jumps over the lazy dog" is: 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 And that is nowhere near the examples shown in the article. The same basic thing applies for the change of "dog" to "eog". My hashes are completely different - as in "no chance the hashes were transfered by typing and a typo snuck in". I've tried changing the first letter to a small 't' in case the author didn't hash the sentence with a capital, but that didn't resolve the problem, nor did adding a full stop. I even added the quotes to the string that whirlpool digested - didn't change anything. I know I could try changing the input until kingdom come without finding the error, so I left it at that. I could however verify (using a few tests, if you want to call that "veryfying") that the results were the same on both i386 and sparc64 plattforms - but since the port was taken from NetBSD, there aren't any surprises in that. Just to make things a little more complex, I encoded "Telegraph Road" off one of my Dire Straits CDs to mp3, hashed that with digest and compared the hash to the result a friend of mine got with Jacksum[1] on a Windows box. These were the same and Jacksum says the algorithm is WHIRLPOOL-2 (which is usually named without the number). This may be only a small irritation but since we are talking about a security issue, I don't want to dismiss it too easily either. Are there any opinions to this out there? Regards Chris [1] http://www.jonelo.de/java/jacksum/
On Tue, Jul 10, 2007 at 11:28:10AM +0200, Christian Baer wrote:> Hello Folks! > > For a special application I needed to create digests (or hashes) using > the whirlpool algorithem. It was kind of hard to find something that > actually did that. But I found digest in the ports tree - ok, with some > help from someone who seemed to know what to look for. :-) > > What irritates me is the Wikipedia-page on Whirlpool: > http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 > > There is a chance that the author of the article messed up somehow but > when you are handling sensitive stuff, chances aren't really the things > you want to take. > > My irritations in detail: > > My zero-hash is the same as the example shown for whirlpool > (whirlpool-2). That's a good sign so far. > > My hash for "The quick brown fox jumps over the lazy dog" is: > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article. The same > basic thing applies for the change of "dog" to "eog". My hashes are > completely different - as in "no chance the hashes were transfered by > typing and a typo snuck in". I've tried changing the first letter to a > small 't' in case the author didn't hash the sentence with a capital, > but that didn't resolve the problem, nor did adding a full stop. I even > added the quotes to the string that whirlpool digested - didn't change > anything. I know I could try changing the input until kingdom come > without finding the error, so I left it at that.I think this illustrates what you're seeing... wxs@rst wxs > echo "The quick brown fox jumps over the lazy dog" > foo wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 wxs@rst wxs > echo -n "The quick brown fox jumps over the lazy dog" > wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725fd2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 wxs@rst wxs > It was including the trailing newline character in your example. -- WXS
Hi Christian, Christian Baer wrote:> My hash for "The quick brown fox jumps over the lazy dog" is: > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article.You have included the trailing newline in your hash calculation; the example in the article did not do this: echo The quick brown fox jumps over the lazy dog | openssl dgst -whirlpool (stdin)= 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 echo -n The quick brown fox jumps over the lazy dog | openssl dgst -whirlpool (stdin)= b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725fd2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 Greetings, Johan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070710/6beab4cb/attachment-0001.pgp
On Tue, 10 Jul 2007 12:26:44 +0200 Johan van Selst wrote:> You have included the trailing newline in your hash calculation; > the example in the article did not do this:Richt now I feel a bit like Homer Simpson: DOH! Great, I could of thought auf that by myself, but once again, finding the problem was like finding an elephant through a microscope. Thanks for straightening me out! :-)> echo The quick brown fox jumps over the lazy dog | openssl dgst -whirlpoolDid you install a port with an extended openssl or is there some trick to this? My manpage for openssl doesn't even include sha256, only md2, md5, mdc2, rmd160, sha (which will probably be sha-0) and sha1. Did I miss something? Regards Chris
Reasonably Related Threads
- Re: libvirt-1.1.2-r1 (Gentoo) fails to start LXC containers (subject line minor edit, was libvirt-1.2.2-r1)
- Chain-loading from WDS to PXELinux on a different tftp server
- Chain-loading from WDS to PXELinux on a different tftp server
- how to pick cipher for AES-NI enabled AMD GX-412TC SOC tincd at 100% CPU
- error with make clean in /usr/src