Re: passwd hashing algorithm

Paul C Leyland (pcl@foo.oucs.ox.ac.uk)
Wed, 19 Apr 1995 12:34:22 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mr Martin J Hargreaves: "Re: HTTPD bug"
Previous message: Richard Allen: "AntiFlash talkd"
Maybe in reply to: Dave Stagner: "passwd hashing algorithm"
Next in thread: Paul C Leyland: "Re: passwd hashing algorithm"

David Wagner, dawagner@princeton.edu, wrote:

> Just one trivial elaboration on an informative message from
> Steve Bellovin:
> > 
> >                          There's only one facet of triple DES that's
> > at all useful here:  it provides an easy way to accept longer passwords.
> > But as I've noted, there are other ways to do that.  (Double DES is
> > most likely quite sufficient if you want to pursue that route, though;
> > few people are going to use passwords longer than 16 characters, and
> > the attacks on double DES described in the cryptographic literature
> > require O(2^55) storage, if I recall correctly -- I may be off by a
> > factor or so of 2.)
> > 
> 
> If anyone actually plans to use double DES (or triple DES)
> for hashing passwords (which I don't recommend), be aware
> that there's a huge difference between:
> 
> 1. 25 iterations of DES with the first 8 bytes of the
>    password as key, followed by 25 iterations of DES
>    with the second 8 bytes of password as key.

This is essentially how DEC's C2-security in OSF/1 works for passwords
9-16 characters long.  A further weakness is that the output of
bigcrypt() gives the length of the plaintext password in units of 8
characters!  So if ever you can get hold of the password file, you can
concentrate on the easy cases.  In particular, it might be worth while
making a complete table of all common suffices and then searching the
9-16 character portions for matches.

The old crypt16(), from Ultrix and supported as a migration tool in
OSF/1 was even worse.  It used 20 rounds on one block and 5 on the
second, making password searching even faster than traditional
crypt().  I wrote the mods. for Crack to use crypt16().  The suffix
attack works like a dream -- 5 times faster than regular Crack -- and
concentrating on the <9 char. passwords goes in 80% of the time.  DEC
screwed up badly there.
> 
> 2. repeat 25 times:
>      an iteration of DES with the first 8 bytes of the
>      password as key, followed by an iteration of DES
>      with the second 8 bytes of password as key.
> 
> (1) can be broken on a workstation with ~ 2^32 steps (and
> very little in the way of memory); (2) is probably very
> strong.  The same comment goes for triple DES.

But still not strong enough.  Password guessing will work in many
cases because people will still choose guessable passwords, unless you
have a fascist password program.  If you have one of those,
traditional crypt is still adequate, IMO.

> The moral of the story?  If you wanna hash a long string,
> use a hash function (i.e. MD5), not a block cipher; or
> else be very careful. :-)

IMO, you should do both.


Paul

Next message: Mr Martin J Hargreaves: "Re: HTTPD bug"
Previous message: Richard Allen: "AntiFlash talkd"
Maybe in reply to: Dave Stagner: "passwd hashing algorithm"
Next in thread: Paul C Leyland: "Re: passwd hashing algorithm"