0

Let's say I have a binary string s, that is generated by a cryptographically secure random byte generator, and a hash function SHA-256.

I am using the hash h=sha256(s) as a one-time password verifier and send it to the server, how many bits of security does this provide?

I guess the question is how easy it is to find a preimage of h, and the security margin from sha256 seems to be 2^254.9 according to Wikipedia, am I correct in that assumption?

Does anything change if 256 bits of a 512-bit string are already known? Does this make it easier to find a preimage?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Gamer2015
  • 727
  • 6
  • 12
  • I'm confused by a number of statements. (1) "I am using the hash h=sha256(s) as a one-time password verifier". How is that a 1-time password? How is the server using that as a verification? (2) "how easy it is to find a preimage of h". Where does the hash source (preimage) come into play here? Does the server already have h? If so why? General , I understand the mathematics but I don't understand the intended purpose or use? – user10216038 May 29 '21 at 17:06
  • The hash, h, is sent to the server to be stored as a validator. The source, s, is given to another service/person as a one-time authentication key. The key can be validated by the server by hashing it. If it matches any validators then the related permissions are granted. After a validator, like h, is used, h is removed as validator and it is no longer possible to use that key to get the permissions. – Gamer2015 May 29 '21 at 17:57
  • 1
    Now I understand, thank you. One small point, although extremely unlikely, instead of "If it matches any validators", the validator should be paired with account ID just like a password. That will lessen the dependency on the global uniqueness of the validator algorithm. Part and parcel there should probably be a time out associated, making a Triplet of: ID, Validator, Time. – user10216038 May 30 '21 at 15:26

1 Answers1

0

The security of this approach is 2^256, or the entropy of the input, whichever is smaller. The preimage security of SHA-256 is 2^256 (note that the attack you linked to is on a reduced-round version, so it's not applicable to the full SHA-256). However, if your input s contains less than 256 bits of entropy, then it would be easier to search the input domain, and your scheme would have as much security as the entropy in s. That could be the case if you used a 128-bit s, for example.

If s is a 512-bit string and 256 bits are known, then the security is still 2^256, since it has 256 unknown bits.

bk2204
  • 9,434
  • 22
  • 20