Just one trivial elaboration on an informative message from Steve Bellovin: > > There's only one facet of triple DES that's > at all useful here: it provides an easy way to accept longer passwords. > But as I've noted, there are other ways to do that. (Double DES is > most likely quite sufficient if you want to pursue that route, though; > few people are going to use passwords longer than 16 characters, and > the attacks on double DES described in the cryptographic literature > require O(2^55) storage, if I recall correctly -- I may be off by a > factor or so of 2.) > If anyone actually plans to use double DES (or triple DES) for hashing passwords (which I don't recommend), be aware that there's a huge difference between: 1. 25 iterations of DES with the first 8 bytes of the password as key, followed by 25 iterations of DES with the second 8 bytes of password as key. 2. repeat 25 times: an iteration of DES with the first 8 bytes of the password as key, followed by an iteration of DES with the second 8 bytes of password as key. (1) can be broken on a workstation with ~ 2^32 steps (and very little in the way of memory); (2) is probably very strong. The same comment goes for triple DES. The moral of the story? If you wanna hash a long string, use a hash function (i.e. MD5), not a block cipher; or else be very careful. :-) ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu