spf-discuss
[Top] [All Lists]

RE: BASE64 encoding of SRS hash may not work with some mail servers

2004-05-05 18:13:43
From: Michael R. Brumm
Sent: Wednesday, May 05, 2004 7:23 PM

<...>

Let see:
 40-bit hash =  7 base64 chars =  8 base32 chars = 10 hex chars
 80-bit hash = 14 base64 chars = 16 base32 chars = 20 hex chars
120-bit hash = 21 base64 chars = 24 base32 chars = 30 hex chars

How long are you guys planning to make those hashes? I'd say that
for 80-bits or less, hex is the least problematic.

Since SRS recommends four base-64 digits, we're only talking about 24-bit
hashes.  Much ado about nothing, as the big guy said.

4 base-64 digits = 24-bit hash
5 base-32 digits = 25-bit hash
6 base-16 digits = 24-bit hash

For one or two characters, why sweat all the work to produce a hash in
base-64 that can withstand case mangling, as we currently do?  You have to
first reduce the string you are hashing to lower case, compute the hash and
represent it as base-64.  When verifying, you have to compare the hash in a
case insensitive manner.  This actually reduces the strength of the hash
since in a case-insensitive comparison, A=a, so we're not really even
getting the full 24-bits of hash that we wanted.  I'd vote for five base-32
digits and force everything to lower case for the hash computation.  Upon
verification, we'd get full use of the 25-bit hash with only one extra
character in the local part.

--

Seth Goodman