Re: passwd hashing algorithm

John F. Haugh II (jfh@rpp386.cactus.org)
Fri, 21 Apr 95 7:09:41 CDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Urban: "Re: syslog (WAS: chroot'ed environment?)"
Previous message: Tim Scanlon: "Re: Kerberos availability (Re: NIS)"
In reply to: David A. Wagner: "Re: passwd hashing algorithm"
Next in thread: John Adams: "Re: passwd hashing algorithm"

> > > 1. 25 iterations of DES with the first 8 bytes of the
> > >    password as key, followed by 25 iterations of DES
> > >    with the second 8 bytes of password as key.
>    [ ... better version deleted ... ]
> > > (1) can be broken on a workstation with ~ 2^32 steps (and
> > > very little in the way of memory);
> > 
> > I've never seen anything resembling a convincing argument for this point.
> > 
> 
> Hrmm, well, I could give you the crypto explanation...do you
> want me to?  [Keywords: meet-in-the-middle, birthday attack]
> 
> If not, I issue you a challenge.  I've included a small
> program at the end which implements (1) using libdes:
> 
> $ ./newcrypt abcdefgh 12345678
> E7 B3 AF 1E D5 A8 34 10
> $ ./newcrypt xxxx yyyy
> 5D 4F 2F 99 F4  1 69 B3
> 
> Compile it with libdes.a and make sure you get the same
> output for the test data above (for portability).  Pick
> your own two password strings (at most 8 bytes long each)
> and send or post the output of the program.
> 
> I'll find two password strings of my own which give the
> same output (but they're *not* necessarily the same as your
> two strings: they just produce the same hash!).
 
Now that I've had time to read what you've written here, you've attacked
something completely different from what you appear to have described
earlier.  Shadow's long password scheme appends the output of each round
of crypt() to the output for the previous rounds.  Your function uses
0 as the initial key (same as UNIX crypt), but the output of the previous
round as the initial key for the second round (not the same) and produces
a single 8 byte result.  That I will gladly concede is useless.

> Sorry to the rest of you bugtraq folks: I would be taking
> this to personal email, except for the fact that someone
> actually uses the broken scheme -- yikes! -- that's my ObBug.

So far the planet is safe -- no one does this that I know of ...
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh@rpp386.cactus.org

Next message: Urban: "Re: syslog (WAS: chroot'ed environment?)"
Previous message: Tim Scanlon: "Re: Kerberos availability (Re: NIS)"
In reply to: David A. Wagner: "Re: passwd hashing algorithm"
Next in thread: John Adams: "Re: passwd hashing algorithm"