Re: passwd hashing algorithm
David A. Wagner (dawagner@phoenix.Princeton.EDU)
Mon, 17 Apr 1995 17:35:19 -0400 (EDT)
Just one trivial elaboration on an informative message from
Steve Bellovin:
>
> There's only one facet of triple DES that's
> at all useful here: it provides an easy way to accept longer passwords.
> But as I've noted, there are other ways to do that. (Double DES is
> most likely quite sufficient if you want to pursue that route, though;
> few people are going to use passwords longer than 16 characters, and
> the attacks on double DES described in the cryptographic literature
> require O(2^55) storage, if I recall correctly -- I may be off by a
> factor or so of 2.)
>
If anyone actually plans to use double DES (or triple DES)
for hashing passwords (which I don't recommend), be aware
that there's a huge difference between:
1. 25 iterations of DES with the first 8 bytes of the
password as key, followed by 25 iterations of DES
with the second 8 bytes of password as key.
2. repeat 25 times:
an iteration of DES with the first 8 bytes of the
password as key, followed by an iteration of DES
with the second 8 bytes of password as key.
(1) can be broken on a workstation with ~ 2^32 steps (and
very little in the way of memory); (2) is probably very
strong. The same comment goes for triple DES.
The moral of the story? If you wanna hash a long string,
use a hash function (i.e. MD5), not a block cipher; or
else be very careful. :-)
-------------------------------------------------------------------------------
David Wagner dawagner@princeton.edu