-2
\$\begingroup\$

So you are tasked with creating an open source password authentication system but you want to reveal as little about the implementation of the hash function as possible. Can you write a function that takes in a password string and a salt string and outputs a salted hash string without revealing the hashing function?

End date: 6th of July

Popularity contest: So whoever is voted as hardest to figure out the hashing method.

Restriction: Must use an accepted as secure hashing function

Improve this question
\$\endgroup\$
12
  • \$\begingroup\$ What do you mean "without revealing the salt"? So you mean that the salt should be static and hard-coded, or that it should be dynamic - in which case you'd get a different response every time you called the function \$\endgroup\$ Commented Jun 24, 2014 at 15:55
  • 6
    \$\begingroup\$ This question makes no sense. The salt should be an input. \$\endgroup\$ Commented Jun 24, 2014 at 15:55
  • \$\begingroup\$ @PeterTaylor Didn't think about that correctly. Yeah the salt string is an input \$\endgroup\$ Commented Jun 24, 2014 at 17:32
  • 2
    \$\begingroup\$ @inquisitiveIdiot Security through obscurity? I'm sure that'll work out just great... \$\endgroup\$ Commented Jun 24, 2014 at 19:25
  • 1
    \$\begingroup\$ @inquisitiveIdiot I disagree on your open source standpoint; making something like RSA public only makes it more secure as the public can scrutinize it \$\endgroup\$ Commented Jun 25, 2014 at 9:30

3 Answers 3

Reset to default
3
\$\begingroup\$

Python 3

Uninspired solution - hide your hash function with hash-looking code

import base64

a = b'66726F6D20686173686C696220696D706F72742A3B7072696E74287368613235'
b = b'3628627974657328696E70757428292B696E70757428292C277574662D382729'
c = b'292E686578646967657374282929232048656C6C6F2074686572652021402324'

exec(base64.b16decode(a+b+c))
Improve this answer
\$\endgroup\$
4
  • \$\begingroup\$ That's not a hash function - that's just base 16. \$\endgroup\$ Commented Jun 25, 2014 at 2:05
  • \$\begingroup\$ @sdamashek it must be hidden too well... that's actually sha256. \$\endgroup\$ Commented Jun 25, 2014 at 3:34
  • \$\begingroup\$ @primo oops, I didn't actually check the decoded result. :P \$\endgroup\$ Commented Jun 26, 2014 at 4:28
  • \$\begingroup\$ SHA-256 is a secure hash function, but not a secure password hash function. \$\endgroup\$ Commented Aug 26, 2014 at 18:05
3
\$\begingroup\$

Ruby

Need a way to obfuscate your choice of hashing function? Why not use a hashing function?

require 'digest'

three_card_monte = %w[SHA1 MD5 RMD160]

part1, part2 = three_card_monte.repeated_permutation(2).find{|x,y|Digest(x).base64digest(y)[/tada!?/i]}

part2.send( ('mode'..$&).find{|x|Digest(part1).base64digest(x)[/\d\dSXQ/]}<<$&.to_i.chr)

puts Digest(part2).base64digest(gets+gets)
Improve this answer
\$\endgroup\$
1
0
\$\begingroup\$

Python

This one is not a hashing function, takes no salt, and is completely insecure, but can you tell what it is?

def f(x):
    a,b=ord(x),ord(x)+13
    if not (97<=a<=122 or 65<=a<=90):return x
    if (65<=a<=90 and b>90) or b>122: b-=26
    return chr(b)
print(''.join(f(i) for i in input()))

It's rot13

Here is an actual hashing function.

import hashlib
salt = b'cHJpbnQoaGFzaGxpYi5zaGEyNTYoYnl0ZXMoaW5wdXQoKStpbnB1dCgpLCd1dGYtOCcpKS5oZXhkaWdlc3QoKSkKZXhpdCgp';import base64;exec(base64.b64decode(salt))
print(hashlib.md5(bytes(input(), 'utf-8') + salt).hexdigest())

Note that it is not md5 and it does not use a hard coded salt. Based on qwr's solution.

Improve this answer
\$\endgroup\$
1

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.