AES: Why is it a good practice to use only the first 16 bytes of a hash for encryption?How can one securely generate an asymmetric key pair from a short passphrase?Key derivation functions (KDF): What are? Main purposes? How can they be used?Review of AES encryption concept for an open source projectCryptography Implementation in softwareStoring encryption key?Hashing - Digital Signing and Trivial StretchingApplication level encryption and key renewalPassword derived hash to encrypt known plaintext as password checkSecurity of non-standard use for AES-256-CTR?Authorities on password hashing best practiceIs AES ECB good enough for key spreading?What should I use for consequent AES key derivation?

What is the command to reset a PC without deleting any files

Wild Shape Centaur Into a Giant Elk: do their Charges stack?

Can a planet have a different gravitational pull depending on its location in orbit around its sun?

Does the average primeness of natural numbers tend to zero?

Add an angle to a sphere

How would photo IDs work for shapeshifters?

Is it possible to make sharp wind that can cut stuff from afar?

Copycat chess is back

A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?

Is Social Media Science Fiction?

Is Fable (1996) connected in any way to the Fable franchise from Lionhead Studios?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?

DOS, create pipe for stdin/stdout of command.com(or 4dos.com) in C or Batch?

Why do UK politicians seemingly ignore opinion polls on Brexit?

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

Finding files for which a command fails

Why is an old chain unsafe?

Could a US political party gain complete control over the government by removing checks & balances?

Is this food a bread or a loaf?

I see my dog run

Calculate Levenshtein distance between two strings in Python

How can I fix this gap between bookcases I made?

Can you lasso down a wizard who is using the Levitate spell?



AES: Why is it a good practice to use only the first 16 bytes of a hash for encryption?


How can one securely generate an asymmetric key pair from a short passphrase?Key derivation functions (KDF): What are? Main purposes? How can they be used?Review of AES encryption concept for an open source projectCryptography Implementation in softwareStoring encryption key?Hashing - Digital Signing and Trivial StretchingApplication level encryption and key renewalPassword derived hash to encrypt known plaintext as password checkSecurity of non-standard use for AES-256-CTR?Authorities on password hashing best practiceIs AES ECB good enough for key spreading?What should I use for consequent AES key derivation?













6












$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user password with sha1 and take only the first 16 bytes.



But I don't think this can be a good practice.



  1. sha1 is weak

  2. taking only the first 16 bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$







  • 3




    $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    Apr 4 at 18:28










  • $begingroup$
    Nowadays you should probably use HKDF with an appropriate hash.
    $endgroup$
    – jww
    Apr 5 at 2:42










  • $begingroup$
    Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
    $endgroup$
    – dave_thompson_085
    Apr 5 at 15:50
















6












$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user password with sha1 and take only the first 16 bytes.



But I don't think this can be a good practice.



  1. sha1 is weak

  2. taking only the first 16 bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$







  • 3




    $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    Apr 4 at 18:28










  • $begingroup$
    Nowadays you should probably use HKDF with an appropriate hash.
    $endgroup$
    – jww
    Apr 5 at 2:42










  • $begingroup$
    Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
    $endgroup$
    – dave_thompson_085
    Apr 5 at 15:50














6












6








6


3



$begingroup$


I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user password with sha1 and take only the first 16 bytes.



But I don't think this can be a good practice.



  1. sha1 is weak

  2. taking only the first 16 bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric







share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$




I'd like to encrypt Text with AES/CTR and a password defined by the user in java. I already checked the internet (and stackoverflow) for answers. The most used version is to hash the user password with sha1 and take only the first 16 bytes.



But I don't think this can be a good practice.



  1. sha1 is weak

  2. taking only the first 16 bytes makes the hash also weak
    and rise the chance for a collision (even with sha-256)

Is this really the best practice? Why? How can I do things better?



Some links to the articles I mentioned:



  • https://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key

  • https://howtodoinjava.com/security/java-aes-encryption-example/

  • https://blog.axxg.de/java-aes-verschluesselung-mit-beispiel/





encryption hash aes symmetric




encryption hash aes symmetric






share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Apr 5 at 6:41









hardyrama

8731527




8731527






New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Apr 4 at 17:46









firendlyQuestionfirendlyQuestion

343




343




New contributor




firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






firendlyQuestion is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 3




    $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    Apr 4 at 18:28










  • $begingroup$
    Nowadays you should probably use HKDF with an appropriate hash.
    $endgroup$
    – jww
    Apr 5 at 2:42










  • $begingroup$
    Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
    $endgroup$
    – dave_thompson_085
    Apr 5 at 15:50













  • 3




    $begingroup$
    They are not good sources. Anyway I will call this question as dupe of this and this
    $endgroup$
    – kelalaka
    Apr 4 at 18:28










  • $begingroup$
    Nowadays you should probably use HKDF with an appropriate hash.
    $endgroup$
    – jww
    Apr 5 at 2:42










  • $begingroup$
    Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
    $endgroup$
    – dave_thompson_085
    Apr 5 at 15:50








3




3




$begingroup$
They are not good sources. Anyway I will call this question as dupe of this and this
$endgroup$
– kelalaka
Apr 4 at 18:28




$begingroup$
They are not good sources. Anyway I will call this question as dupe of this and this
$endgroup$
– kelalaka
Apr 4 at 18:28












$begingroup$
Nowadays you should probably use HKDF with an appropriate hash.
$endgroup$
– jww
Apr 5 at 2:42




$begingroup$
Nowadays you should probably use HKDF with an appropriate hash.
$endgroup$
– jww
Apr 5 at 2:42












$begingroup$
Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
$endgroup$
– dave_thompson_085
Apr 5 at 15:50





$begingroup$
Collision is irrelevant. The chance of 128-bit hash (thus key) collision for different passwords is very low unless you have at least thousands of times more users than exist on Earth (about 2^44) and anyway there's no harm as long as you do not also reuse the same nonce for different data. If the (96-bit) nonce is indepedently random that chance is infinitesimal; if the nonce is systematic (e.g. counter) or synthetic (SIV) there is zero chance. The real and serious danger is using a fast hash on password input, as correctly answered by Ella.
$endgroup$
– dave_thompson_085
Apr 5 at 15:50











1 Answer
1






active

oldest

votes


















19












$begingroup$


Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem. If your library doesn't support Argon2 but supports scrypt, bcrypt or PBKDF2, any of these three is also a reasonable choice.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
    $endgroup$
    – Luis Casillas
    Apr 4 at 22:00






  • 5




    $begingroup$
    @LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
    $endgroup$
    – Ella Rose
    Apr 4 at 22:35







  • 2




    $begingroup$
    @LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
    $endgroup$
    – Gilles
    Apr 4 at 23:46






  • 2




    $begingroup$
    @Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:46






  • 3




    $begingroup$
    @firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:48











Your Answer





StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68545%2faes-why-is-it-a-good-practice-to-use-only-the-first-16-bytes-of-a-hash-for-encr%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









19












$begingroup$


Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem. If your library doesn't support Argon2 but supports scrypt, bcrypt or PBKDF2, any of these three is also a reasonable choice.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
    $endgroup$
    – Luis Casillas
    Apr 4 at 22:00






  • 5




    $begingroup$
    @LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
    $endgroup$
    – Ella Rose
    Apr 4 at 22:35







  • 2




    $begingroup$
    @LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
    $endgroup$
    – Gilles
    Apr 4 at 23:46






  • 2




    $begingroup$
    @Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:46






  • 3




    $begingroup$
    @firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:48















19












$begingroup$


Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem. If your library doesn't support Argon2 but supports scrypt, bcrypt or PBKDF2, any of these three is also a reasonable choice.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
    $endgroup$
    – Luis Casillas
    Apr 4 at 22:00






  • 5




    $begingroup$
    @LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
    $endgroup$
    – Ella Rose
    Apr 4 at 22:35







  • 2




    $begingroup$
    @LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
    $endgroup$
    – Gilles
    Apr 4 at 23:46






  • 2




    $begingroup$
    @Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:46






  • 3




    $begingroup$
    @firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:48













19












19








19





$begingroup$


Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem. If your library doesn't support Argon2 but supports scrypt, bcrypt or PBKDF2, any of these three is also a reasonable choice.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...






share|improve this answer











$endgroup$




Why is it a good practice to use only the first 16 bytes of a hash for encryption?




As you noted, it isn't.



But, the problem is not with the "16 bytes" part of the statement, or the concern for collisions. The problem is with the "hash" part.



16 bytes



As stated in one of the links you shared, AES only uses key sizes of 128, 192, and 256 bits (or 16, 24, and 32 bytes, respectively). So the key must be one of these sizes, because AES simply does not support other key sizes.



Trying to use a larger key could have a variety of possible outcomes depending on what the implementation chooses to do. It might raise an exception, or continue silently while only using the first N bits of the supplied key.



Hashing a password to use as an encryption key



Using a hash function such as MD5, SHA1, SHA2, SHA3, blake2, etc, would all be bad practice. The first two are obvious: MD5 and SHA1 are known to be weak in general.



But even using a strong cryptographic hash like SHA3 or blake2 would also be bad, because they were not designed to solve the problem of deriving a key from a password. Use of a cryptographic hash function is involved in this process, but it is not the entirety of it.



Good practice would be to use a dedicated key derivation function such as Argon2 that was designed to solve this problem. If your library doesn't support Argon2 but supports scrypt, bcrypt or PBKDF2, any of these three is also a reasonable choice.



Why/How



A normal hash function is designed to be fast and require little space.



A hash function designed for use on passwords is quite the opposite: it is a slow function that requires lots of memory access, in an attempt to try and optimize the function towards what a consumer CPU is good at, and minimize the potential for optimization with special hardware. Specialized hardware is usable by an attacker, but a legitimate user is limited to a commodity CPU; The goal is to try and use a function that cannot take advantage of special hardware to the extent possible.



Details about the hows and whys of password hashing are listed in this paper and quoted below (with minor modifications, e.g. removing citations and modified formatting):




Cryptographic Security: The scheme should be cryptographically secure and as such possess the following properties:



  • 1) Preimage resistance

  • 2) Second preimage resistance

  • 3) collision resistance.

In addition it should avoid other cryptographic weaknesses such as those present in (some)Merkle-Damgård constructions(e.g. length extension attacks, partial message collisions, etc)



Defense against lookup table /TMTOAttacks:



  • The scheme should aim to make TMTO attacks that allow for precomputed lookup table generation, such as Rainbow Tables, infeasible

Defense against CPU-optimized 'crackers':



  • The scheme should be ‘CPU-hard’, that is, it should require significant amounts of CPU processing in a manner that cannot be optimized away through either software or hardware. As such, cracking-optimized (multi-core) CPU software implementations (eg. written in assembly, testing multiple input sets in parallel) should offer only minimal speed-up improvements compared to those intended for validation (“slower for attackers, faster for defenders”).

Defense against hardware-optimized 'crackers':



  • The scheme should be 'memory-hard', that is, it should significant amounts of RAM capacity in a manner that cannot be optimized away through eg. TMTO attacks. As such cracking-optimized ASIC, FPGA and GPU implementations should offer only minimal speed up improvements (eg. in terms of time-area product) compared to those intended for validation. As noted by Aumasson one of the main scheme design challenges is ensuring minimized efficiency on GPUs, FPGAs and ASICs (in order to minimize benefits of cracking-optimized implementations) and maximized efficiency on general-purpose CPUs (in order to maintain regular use efficiency).

Defense against side-channel attacks:



  • Depending on the use-case (eg. for key derivation or authentication to a device seeking to protect against modification by the device owner) side-channel attacks might be a relevant avenue of attack. Password hashing schemes should aim to offer side-channel resilience. With regards to password hashing scheme security we will focus on security versus the cache-timing type of side-channel attacks given the existence of such attacks against the commonly used scrypt scheme. The second category of side-channel attacks we will take into consideration are so-called Garbage Collector Attacks (GCAs). GCAs have been discussed in literature as an instance of a 'memory leak' attack relevant to password hashing scheme security. GCAs consist of a scenario where an attacker has access to a target machine's internal memory either after termination of the hashing scheme or at some point where the password itself is still present in memory (the so-called WeakGCA variant)...







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 4 at 20:47









Gilles

8,42232756




8,42232756










answered Apr 4 at 18:37









Ella RoseElla Rose

16.9k44483




16.9k44483







  • 3




    $begingroup$
    Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
    $endgroup$
    – Luis Casillas
    Apr 4 at 22:00






  • 5




    $begingroup$
    @LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
    $endgroup$
    – Ella Rose
    Apr 4 at 22:35







  • 2




    $begingroup$
    @LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
    $endgroup$
    – Gilles
    Apr 4 at 23:46






  • 2




    $begingroup$
    @Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:46






  • 3




    $begingroup$
    @firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:48












  • 3




    $begingroup$
    Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
    $endgroup$
    – Luis Casillas
    Apr 4 at 22:00






  • 5




    $begingroup$
    @LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
    $endgroup$
    – Ella Rose
    Apr 4 at 22:35







  • 2




    $begingroup$
    @LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
    $endgroup$
    – Gilles
    Apr 4 at 23:46






  • 2




    $begingroup$
    @Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:46






  • 3




    $begingroup$
    @firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
    $endgroup$
    – Luis Casillas
    Apr 5 at 9:48







3




3




$begingroup$
Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
$endgroup$
– Luis Casillas
Apr 4 at 22:00




$begingroup$
Nitpick: bcrypt is advertised as a password storage and verification function, not so much a key derivation function, and implementations routinely have APIs to match that (e.g., outputting text encoded output, providing an enroll/verify API instead of a hash API, That is not to claim that bcrypt couldn't be used as you suggest, but there are potential practical pitfalls. See, e.g., this article.
$endgroup$
– Luis Casillas
Apr 4 at 22:00




5




5




$begingroup$
@LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
$endgroup$
– Ella Rose
Apr 4 at 22:35





$begingroup$
@LuisCasillas just a note: I actually didn't list bcrypt; that was inserted to my answer by Gilles via an edit...
$endgroup$
– Ella Rose
Apr 4 at 22:35





2




2




$begingroup$
@LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
$endgroup$
– Gilles
Apr 4 at 23:46




$begingroup$
@LuisCasillas Argon2 was also the winner of the password hashing competition, not the password-based KDF competition. Is there any reason to believe that Argon2 is good for PBKDF that doesn't also apply to bcrypt?
$endgroup$
– Gilles
Apr 4 at 23:46




2




2




$begingroup$
@Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
$endgroup$
– Luis Casillas
Apr 5 at 9:46




$begingroup$
@Gilles The PHC call for submissions had a requirement that the outputs look random, which to my mind implies such suitability. But really, the biggest pitfalls I'm thinking of here aren't conceptually deep; they come down to bcrypt implementations doing stuff like producing ASCII output like "$2a$" + cost + "$" + base64(salt + hash). At the level of (un)sophistication we're dealing with in this question I worry somebody might literally use the ASCII string's bytes.
$endgroup$
– Luis Casillas
Apr 5 at 9:46




3




3




$begingroup$
@firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
$endgroup$
– Luis Casillas
Apr 5 at 9:48




$begingroup$
@firendlyQuestion: Yes, provided you use an Argon2 implementation or API that produces binary output. The tricky detail here is that some implementations of such functions are coded to be friendly to callers who are using them for password storage instead of key derivation.
$endgroup$
– Luis Casillas
Apr 5 at 9:48










firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.












firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.











firendlyQuestion is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68545%2faes-why-is-it-a-good-practice-to-use-only-the-first-16-bytes-of-a-hash-for-encr%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

Image
Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
Read more

What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

Image
Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
Read more

Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

Image
escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
Read more