-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBwDCCAWoCEQC43J7oZ50NWTRSVBShvvaXMA0GCSqGSIb3DQEBAgUAMFkxCzAJ BgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNl Y3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NDA0MDUx NzA2NDJaFw05NTA0MDUxNzA2NDJaMHAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9T ZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYDVQQL Ew5FbmdpbmVlcmluZyBDQTEVMBMGA1UEAxMMQ2hhcmxlcyBXYXR0MFkwCgYEVQgB AQICAgQDSwAwSAJBDNmUqe2+nqg6iuUWzxaXegxki426RzmVNO6VHHYCV4nbo/WL X9a7Jn/2nWqZUK/l+RXqCHU/21Ur9jFIt4GNHhcCAwEAATANBgkqhkiG9w0BAQIF AANBAEY6kP5jHqK9B9PhZCCJ9mckYuKMufWr7l61LulXGwUTqFzjFC0MOYwXo5s+ 8lqrLQ7YpTzyE74pKR1cl5TAUU4= Issuer-Certificate: MIIBkDCCAToCEQCFP7oDPZq0SSDfetbu5nSkMA0GCSqGSIb3DQEBAgUAMEAxCzAJ BgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNl Y3VyZVdhcmUgUENBMB4XDTk0MDQwNTE3MDQyM1oXDTk1MDQwNTE3MDQyM1owWTEL MAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMO U2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYEVQgB AQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFyx5qz n098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0BAQIF AANBAIBzwWRF5SkoGAdcliVyog2caFtsPrq7lyBIp562B+ckFNderoDTc+JW+i4f MhnY9Q9I2KrlZV4GqcpZ+GjAeNk= MIC-Info: RSA-MD5,RSA, A+NGxT8ahv/jKOs0lP+6i3d6Ca3uEYkVHkuVoKmxgH2pFTwe7hBur+HfN6OE8l3n 93IKqWV83/oAr2Cxxou7PfA= X-Sensitivity-Label: 1,CMW+3.0/SCO_2.1/sware.com,UNCLASSIFIED X-Information-Label: 1,CMW+3.0/SCO_2.1/sware.com,UNCLASSIFIED > > > > > SecureWare uses a mechanism similar to this and it is part of one of > > > > their security offerings. I've used a slightly different, but similar, > > > > approach for several years > > > > We do not. See below. > > I think the confusion lies in "similar". Otherwise, I stand by my > remarks, source code samples from you not withstanding. ... > > Meaning that your password was created when crypt() returned > "8F0Ovkj7jA9jE" then "jE.ofsJ4MaIt6". If the guy with the crypt() attack > was serious, he should be able to generate a pair of keys which will > produce your encrypted password. Yes, but your original message was not specific as to the resulting hash output. Both David Wagner and I understood you to mean that the resulting hash was still only 8 bytes. This was the cause of the potential security hole that he outlined that made an attack significantly easier than searching a single 8 byte hash space. The resulting exchange of messages strongly implied that SecureWare's products contained such a security hole. I was merely stating that our product does not contain this specific security hole (or any other of which I am aware :-)). Our implementation is equivalent to serially searching N 8 byte password hash spaces where N is the number of 8 byte blocks (not limited to two) in the password (except, perhaps for the final block). Of course, it would be even better if they had to crack a single 8*N byte password hash space, but as has been pointed out several times to this list, this should best be done using a real hash function. Charlie Watt SecureWare, Inc. -----END PRIVACY-ENHANCED MESSAGE-----