Sony Finally Explains PSN Data Encryption, or Lack Thereof
Sony Finally Explains PSN Data Encryption, or Lack Thereof
Posted 05/02/2011 at 2:54pm
| by Ryan Whitwam
8
Comments
Print
Sony has once again commented on the PSN outage and hacking incident. But this time we got a little more technical information than previous disclosures offered. Contrary to past reports, Sony claims that passwords were not stored in plain text, or in any easily accessible form. They were not encrypted, but were rather "transformed using a cryptographic hash function." Well, it's better than nothing.
A hash of a password is reasonably secure, but not in the same way an encrypted password would be. With sufficient data, a hacker could work backwards to find a hash key and find the plain-text password. An encrypted word cannot be read without the key. It will therefore be much harder for anyone to extract the PSN passwords.
Sony also clarified the situations with credit card numbers. They say that this information, unlike passwords, was encrypted. Additionally, it was not stored with the authorization number most sites require. It might be unlikely a bad guy can get your card number from the stolen data, but Sony is cautioning users to be vigilant anyway.
More like this
8
Comments
Comments are closed on this article
aarcane
May 02, 2011 at 6:14pm
with todays distributed botnets, an encrypted password is less secure than a salted hash in this case. the reason being that if the attackers got just ONE known password, they can reverse the key and recover ALL the passwords. conversely, if the attackers acquired hashed passwords, the best they could hope to do is recover the hash and identify the hash algorithm. they would still have to hope that the hashes weren't unique per password, and if the hashes were unique, they would still have nothing. assuming unsalted, or single hash passwords, they could at best generate a rainbow table and hope for hits, or run a brute-force attack.
greencpu
May 02, 2011 at 3:40pm
I just hope it was a salted hash. otherwise a rainbow table would probably reveal the passwords
aca20031
May 02, 2011 at 3:33pm
Sorry but unless I missed something, a cryptographic hash is much more secure than simply encrypting the password.
A hash cannot be reversed, and to verify that you are who you say you are, your proposed password is hashed and then compared to the stored hash. Encryption is LESS secure becuase it is designed to be reversable given the key. A hash doesn't need to be reversed.
I'm happy to hear PSN did this, not hashing the password was one of the main reasons I was upset in hearing they "have our password" -- a strange way to phrase them having a pass, they would have to use brute force, dictionary, or rainbow tables to find out our real passwords.
leetNightshade
May 03, 2011 at 9:59am
I was thinking to myself, isn't hashing in a way a form of encryption, and why is this writer trying to tell me it's in inferior and you can find the original pw? I was afraid I would have to try to write a post correcting him on this, so thanks for your clear post.
BrandNewJesus
May 02, 2011 at 3:53pm
Yeah, As a security now listener, I think you are correct sir.
Just listen to the SN podcast on lastpass...That should get everyone familiar with hashing.
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy2 days 11 min ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj2 days 20 min ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 22 hours ago
