Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

General Question About SHA-512 Calculator

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!

Topic Author
Roboute Guilliman
Posts: 3
Joined: Mon May 02, 2016 1:41 am

General Question About SHA-512 Calculator

Postby Roboute Guilliman » Mon May 02, 2016 1:53 am

I'm less well versed in the specifics of the technology behind a lot of the stuff on here, and so was wondering if someone could answer a general question I had about the SHA-512 calculator. From my understanding, the point of the calculator is so that your personal token isn't ever released when connecting to a server. However, if what the calculator calculates remains constant over time, doesn't that in effect accomplish the same thing as merely connecting with your token? Since the token itself doesn't even have to be bought from Cryptostorm, adding another layer of anonymity, hypothetically Cryptostorm would have no idea who's using each token. If you then use the calculator, wouldn't this merely replace your token with what is calculated for when you connect? Then wouldn't the output be able to be tracked if you connected to a server, and then to something directly linked to your identity (i.e. bank account, email, etc.)? Thus isn't this the same risk as is with the token? Or is the calculator just adding another layer on anonymity? I'm just trying to understand a bit better how all of this technology works.

Thanks Guys


Roy Thinnes
Posts: 22
Joined: Mon Apr 18, 2016 2:50 pm

Re: General Question About SHA-512 Calculator

Postby Roy Thinnes » Mon May 02, 2016 4:38 am

Not too well versed myself, that seems a good question. Thanks for posing it, Roboute. I'm looking forward to the reply.

User avatar

parityboy
Site Admin
Posts: 1012
Joined: Wed Feb 05, 2014 3:47 am

Re: General Question About SHA-512 Calculator

Postby parityboy » Mon May 02, 2016 5:13 am

@OP

The calculator is indeed adding on another layer of anonymity - don't forget, algorithms like SHA are one-way; there is no mathematical way to reverse the hash to determine the token.

The tokens are "pre-minted" and their hashes added to the database(s) on the exit nodes long before they are ever purchased. The hash you submit to the exit node is compared against the hashes in the database to see if it's valid or not.


Roy Thinnes
Posts: 22
Joined: Mon Apr 18, 2016 2:50 pm

Re: General Question About SHA-512 Calculator

Postby Roy Thinnes » Mon May 02, 2016 5:51 am

I've been reading hashes are not one-way...if you have the cash to blow on high end GPUs. And the original pass is not too long.

*lightbulb moment *

Belt and braces. I think I'm getting it. It wouldn't really matter if your hash was 'cracked'. The hash only "Hi, its really me, the buyer (authentication)", and if no IP/sites visited are logged, and only one(ish) connection is allowed at a time, then there'd be no over-lap between the attacker and the valid user even if an association was made and 'they' listened in....am I close?


Roy Thinnes
Posts: 22
Joined: Mon Apr 18, 2016 2:50 pm

Re: General Question About SHA-512 Calculator

Postby Roy Thinnes » Mon May 02, 2016 6:05 am

...and I see no table for SHA-512, just 1 and md5...ooooooooooohhhh. :clap:

User avatar

parityboy
Site Admin
Posts: 1012
Joined: Wed Feb 05, 2014 3:47 am

Re: General Question About SHA-512 Calculator

Postby parityboy » Tue May 03, 2016 7:15 am

@Roy Thinnes

Hashes are one way. :) What you're talking about are rainbow tables, which are pre-computed hashes of well-known words and phrases, scraped from dictionaries and websites.

This is why websites will prepend or append a random salt to a password before hashing it, because the resulting hash will not be in any rainbow table.

As for correlation, you are somewhat correct. The exit nodes hold token hashes, Cryptostorm and their resellers hold and sell tokens. Even if two different users were sold the same token from the same vendor (or a token was copied/stolen in some way) all it would say is that two users are sharing a token. That's it.


Topic Author
Roboute Guilliman
Posts: 3
Joined: Mon May 02, 2016 1:41 am

Re: General Question About SHA-512 Calculator

Postby Roboute Guilliman » Tue May 03, 2016 7:33 am

I'm not so worried about someone backing out my token by using what the calculator calculates, I'm confident in my admittedly limited knowledge of the coding behind it to agree with you that I don't think they could do it. My worry is that by connecting with the hash and then something directly linked to your identity, it'd in effect be a way to deanonymize it. Quite possible I'm simply I'm just simply not thinking about this correctly. I just am trying to work out the scale of anonymity in using a purchased token along with the calculator to connect to the network.


Roy Thinnes
Posts: 22
Joined: Mon Apr 18, 2016 2:50 pm

Re: General Question About SHA-512 Calculator

Postby Roy Thinnes » Tue May 03, 2016 12:37 pm

@parityboy

Cheers, PB. I'll continue my seemingly endless pursuit to understand this shit fully with your corrections in mind. :)


hashtable
Posts: 39
Joined: Sat Mar 26, 2016 4:27 pm

Re: General Question About SHA-512 Calculator

Postby hashtable » Fri May 06, 2016 11:22 am

@Roboute Guilliman - yes it effectively is the same as logging with the token without being hashed. But, let's say someone tried to bruteforce entry into the network. Considering we don't use passwords, the length of the username needs to be significantly long in order to use it as the main method of verification. Hashing the token also makes it a little more difficult for anyone who might be trying intercept traffic or compromised a server. Without tokens it makes it even that much more difficult as well, even if it's impossible to know either way, it feels better having it hashed. Like putting a comfy pillow on a wooden chair I like the extra padding. If they have the tokens, they can hash them and figure it out, but in any scenario it's requires more time, effort, and energy. I assume it's annoying at least.

If there's any questions regarding the website code used to hash the tokens, I can say with absolute certainty it's legit. You can download the website on github and use it the hasher on your local machine without internet connection. And the source code is there - math is math - just in case anyone feels weird about hashing something on website instead of locally.


hashtable
Posts: 39
Joined: Sat Mar 26, 2016 4:27 pm

Re: General Question About SHA-512 Calculator

Postby hashtable » Fri May 06, 2016 7:51 pm

Roboute Guilliman wrote:I'm not so worried about someone backing out my token by using what the calculator calculates, I'm confident in my admittedly limited knowledge of the coding behind it to agree with you that I don't think they could do it. My worry is that by connecting with the hash and then something directly linked to your identity, it'd in effect be a way to deanonymize it. Quite possible I'm simply I'm just simply not thinking about this correctly. I just am trying to work out the scale of anonymity in using a purchased token along with the calculator to connect to the network.


The tokens are only used locally on your machine and inside the server itself. All traffic is encrypted, to the best of my (rather limited) knowledge, openvpn uses the tls protocol which is the same as https which means that the 'token' - hashed or otherwise' shouldn't be visible by anyone attempting to eavesdrop between you and CS's server. If anyone is mapping metadata - it's that you're connecting to CS's server, which is an unavoidable consequence of using the internet. But they shouldn't have access to the token unless they've PHYSICALLY hijacked a bare metal :twisted:


Topic Author
Roboute Guilliman
Posts: 3
Joined: Mon May 02, 2016 1:41 am

Re: General Question About SHA-512 Calculator

Postby Roboute Guilliman » Sat May 07, 2016 7:09 pm

Alright cool guys that makes my understanding a bit more clear. Thanks very much


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 4 guests

Login