From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 18:24:06 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71698106566B for ; Thu, 28 Jan 2010 18:24:06 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 54A828FC14 for ; Thu, 28 Jan 2010 18:24:06 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id 48DEB31E2D18; Thu, 28 Jan 2010 10:24:13 -0800 (PST) Date: Thu, 28 Jan 2010 10:24:13 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20100128182413.GI892@noncombatant.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 18:24:06 -0000 See your copy of /usr/src/lib/libcrypt/crypt-md5.c: /* * and now, just to make sure things don't run too fast * On a 60 Mhz Pentium this takes 34 msec, so you would * need 30 seconds to build a 1000 entry dictionary... */ for(i = 0; i < 1000; i++) { MD5Init(&ctx1); if(i & 1) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); else MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); if(i % 3) MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); if(i % 7) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); if(i & 1) MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); else MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); MD5Final(final, &ctx1); } This algorithm is still the default on FreeBSD 8. (Blowfish is available -- but has it been tuned for slowness either? I have not checked.) The purpose of these functions is to be slow, but the above has not been slow for years. Hence this patch: --- crypt.h.orig 2010-01-28 10:14:50.000000000 -0800 +++ crypt.h 2010-01-28 10:17:49.000000000 -0800 @@ -32,6 +32,9 @@ #define MD4_SIZE 16 #define MD5_SIZE 16 +/* As processors get faster, increase this. 1000 was good on a Pentium 60. */ +#define MD5_SLOW 100000 + char *crypt_des(const char *pw, const char *salt); char *crypt_md5(const char *pw, const char *salt); char *crypt_nthash(const char *pw, const char *salt); --- crypt-md5.c.orig 2010-01-28 10:18:03.000000000 -0800 +++ crypt-md5.c 2010-01-28 10:19:00.000000000 -0800 @@ -107,10 +107,10 @@ /* * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would + * On a 60 Mhz Pentium MD5_SLOW = 1000 takes 34 msec, so you would * need 30 seconds to build a 1000 entry dictionary... */ - for(i = 0; i < 1000; i++) { + for(i = 0; i < MD5_SLOW; i++) { MD5Init(&ctx1); if(i & 1) MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 18:54:11 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9D20106568B for ; Thu, 28 Jan 2010 18:54:11 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 863A28FC2B for ; Thu, 28 Jan 2010 18:54:11 +0000 (UTC) Received: from localhost (overdrive.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 28 Jan 2010 13:54:10 -0500 id 0003F409.000000004B61DD52.0000951A Date: Thu, 28 Jan 2010 13:54:10 -0500 From: Bill Moran To: Chris Palmer Message-Id: <20100128135410.7b6fe154.wmoran@collaborativefusion.com> In-Reply-To: <20100128182413.GI892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.7.1 (GTK+ 2.18.5; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 18:54:11 -0000 I'm sure someone will correct me if I'm wrong, but you can't do this without establishing this as an entirely new algorithm. The hashes generated after your patch will not be compatible with existing password files, thus anyone who applies this will be unable to log in. Have you tried it? In response to Chris Palmer : > See your copy of /usr/src/lib/libcrypt/crypt-md5.c: > > /* > * and now, just to make sure things don't run too fast > * On a 60 Mhz Pentium this takes 34 msec, so you would > * need 30 seconds to build a 1000 entry dictionary... > */ > for(i = 0; i < 1000; i++) { > MD5Init(&ctx1); > if(i & 1) > MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); > else > MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); > > if(i % 3) > MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); > > if(i % 7) > MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); > > if(i & 1) > MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); > else > MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); > MD5Final(final, &ctx1); > } > > This algorithm is still the default on FreeBSD 8. (Blowfish is available -- > but has it been tuned for slowness either? I have not checked.) The purpose > of these functions is to be slow, but the above has not been slow for years. > Hence this patch: > > > --- crypt.h.orig 2010-01-28 10:14:50.000000000 -0800 > +++ crypt.h 2010-01-28 10:17:49.000000000 -0800 > @@ -32,6 +32,9 @@ > #define MD4_SIZE 16 > #define MD5_SIZE 16 > > +/* As processors get faster, increase this. 1000 was good on a Pentium 60. */ > +#define MD5_SLOW 100000 > + > char *crypt_des(const char *pw, const char *salt); > char *crypt_md5(const char *pw, const char *salt); > char *crypt_nthash(const char *pw, const char *salt); > > > --- crypt-md5.c.orig 2010-01-28 10:18:03.000000000 -0800 > +++ crypt-md5.c 2010-01-28 10:19:00.000000000 -0800 > @@ -107,10 +107,10 @@ > > /* > * and now, just to make sure things don't run too fast > - * On a 60 Mhz Pentium this takes 34 msec, so you would > + * On a 60 Mhz Pentium MD5_SLOW = 1000 takes 34 msec, so you would > * need 30 seconds to build a 1000 entry dictionary... > */ > - for(i = 0; i < 1000; i++) { > + for(i = 0; i < MD5_SLOW; i++) { > MD5Init(&ctx1); > if(i & 1) > MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 19:39:34 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86BE1106566C for ; Thu, 28 Jan 2010 19:39:34 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6BEFC8FC18 for ; Thu, 28 Jan 2010 19:39:34 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id AC88431E2C66; Thu, 28 Jan 2010 11:39:41 -0800 (PST) Date: Thu, 28 Jan 2010 11:39:41 -0800 From: Chris Palmer To: freebsd-security@freebsd.org, Bill Moran Message-ID: <20100128193941.GK892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100128135410.7b6fe154.wmoran@collaborativefusion.com> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 19:39:34 -0000 Bill Moran writes: > I'm sure someone will correct me if I'm wrong, but you can't do this > without establishing this as an entirely new algorithm. The hashes > generated after your patch will not be compatible with existing password > files, thus anyone who applies this will be unable to log in. Have you > tried it? Yes, which is why I reset my passwords after doing "make install", which worked fine. I suppose I should have mentioned that in the first message. :) People installing the OS fresh won't need to take this step. Note that 1,000 is simply too low -- the security value of PHK's scheme is lost as computers increase in speed. Therefore, taking a minute to update my passwords is acceptable to me. Since there is 0 cost for people installing fresh, there is no reason not to do it. The blowfish algorithm should also be similarly tuned. From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 19:56:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 083061065672 for ; Thu, 28 Jan 2010 19:56:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id A122E8FC1E for ; Thu, 28 Jan 2010 19:56:27 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A7D17A5D1BE; Fri, 29 Jan 2010 03:56:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id SpOjKYm50JRz; Fri, 29 Jan 2010 03:56:19 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id A67DCA5D155; Fri, 29 Jan 2010 03:56:18 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=uB0Dbb2khtRBhC3+fhgf98Lq0DwZuTMDwqKI8gpCKAXcfC2GYWHe1oXiKZu17djlH 6QgEDUzBjCou5nRk1k2ag== Message-ID: <4B61EBDE.1040604@delphij.net> Date: Thu, 28 Jan 2010 11:56:14 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100122 Thunderbird/3.0.1 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> In-Reply-To: <20100128182413.GI892@noncombatant.org> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 19:56:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Chris, On 2010/01/28 10:24, Chris Palmer wrote: > See your copy of /usr/src/lib/libcrypt/crypt-md5.c: I'd appreciate your effort put into this but I feel necessary to say something on this topic. The slowness was useful at the time when the code was written, but I don't think it would buy us as much nowadays, expect the slowness be halved from time to time, not to mention the use of distributed techniques to accelerate the build of dictionaries. Second, recent research has shown MD5 to be vulnerable to collision attacks [1] by the end of 2008. It's time to switch to some better algorithm, maybe something like Skein, etc... [1] http://www.kb.cert.org/vuls/id/836068 - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLYeveAAoJEATO+BI/yjfBWzkH/icNHpEr5w/ulBlKe/fr/4Uo +ZrGj7SixbL4g6yLPd79JKoJpFZEdMlY9AnLTr3QT0/OwKyySwVXg7Fh+7LA3r+4 DqE4N2pZfIqD6maS7ccF6Yp+2JAN9BJG7O73W6fEhm0mRTPkdLWMnB1gMx6DymQh NQvx41QADmiN3jq6DapFJhQRDwFcxFzCsyg3eZ0nIwaCP+72HBPCEKEPro1JtLSF sm0uf0TIyaGTgMe4xcjtwdlRtMmNA0V5yZwGHOcW09cuxxt3n79BA2RrPVz/+6Tr KIa6LhNzoF1Eb4wfCSrSu2c4a6nM6+FSGT5fdpx/jkfr125W7sQYZuEVNzPWuxU= =LuLY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:02:13 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0341106566C for ; Thu, 28 Jan 2010 20:02:13 +0000 (UTC) (envelope-from fj@fj.batmule.dk) Received: from fj.batmule.dk (cl-99.cph-01.dk.sixxs.net [IPv6:2001:16d8:dd00:62::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3F6958FC16 for ; Thu, 28 Jan 2010 20:02:12 +0000 (UTC) Received: from fj.batmule.dk (localhost [127.0.0.1]) by fj.batmule.dk (8.14.3/8.14.3) with ESMTP id o0SK1lX5007714 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Jan 2010 21:01:47 +0100 (CET) (envelope-from fj@fj.batmule.dk) Received: (from fj@localhost) by fj.batmule.dk (8.14.3/8.14.3/Submit) id o0SK1lgv007713; Thu, 28 Jan 2010 21:01:47 +0100 (CET) (envelope-from fj) Date: Thu, 28 Jan 2010 21:01:47 +0100 From: Flemming Jacobsen To: d@delphij.net Message-ID: <20100128200147.GI5215@fj.batmule.dk> References: <20100128182413.GI892@noncombatant.org> <4B61EBDE.1040604@delphij.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B61EBDE.1040604@delphij.net> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-STABLE i386 X-PGPkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDCC399C7 Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:02:13 -0000 Xin LI wrote: > Second, recent research has shown MD5 to be vulnerable to collision > attacks [1] by the end of 2008. Uhmm. That is totally irrelevant in this context. Regards, Flemming -- Flemming Jacobsen Email: fj@batmule.dk "The chief obstacle to the progress of the human race is the human race." -- Don Marquis From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:10:27 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D2EE106566B for ; Thu, 28 Jan 2010 20:10:27 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0E88FC14 for ; Thu, 28 Jan 2010 20:10:26 +0000 (UTC) Received: from localhost (overdrive.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 28 Jan 2010 15:10:26 -0500 id 0003F405.000000004B61EF32.0000AA1F Date: Thu, 28 Jan 2010 15:10:26 -0500 From: Bill Moran To: Chris Palmer Message-Id: <20100128151026.5738b6c1.wmoran@collaborativefusion.com> In-Reply-To: <20100128193941.GK892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.7.1 (GTK+ 2.18.5; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:10:27 -0000 In response to Chris Palmer : > Bill Moran writes: > > > I'm sure someone will correct me if I'm wrong, but you can't do this > > without establishing this as an entirely new algorithm. The hashes > > generated after your patch will not be compatible with existing password > > files, thus anyone who applies this will be unable to log in. Have you > > tried it? > Since there is 0 cost for people installing > fresh, there is no reason not to do it. Are you volunteering to handle all the complaints from all the people who want to upgrade their systems without reinstalling? This would also introduce a complete incompatibility between systems. I, for one, frequently copy password files from one system to another. I expect $1$ to be compatible on all systems. If a new algorithm is to be used, why even start with md5? Why not start with something that's inherently stronger and more CPU intensive? >From there, assign it a new algorithm number. See the "Modular Crypt" section of crypt(3). Then compatibility is maintained. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:10:53 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85CE1106566B for ; Thu, 28 Jan 2010 20:10:53 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6969E8FC14 for ; Thu, 28 Jan 2010 20:10:53 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id B0E2331E2D5D; Thu, 28 Jan 2010 12:11:00 -0800 (PST) Date: Thu, 28 Jan 2010 12:11:00 -0800 From: Chris Palmer To: d@delphij.net, freebsd-security@freebsd.org Message-ID: <20100128201100.GO892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <4B61EBDE.1040604@delphij.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B61EBDE.1040604@delphij.net> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:10:53 -0000 Xin LI writes: > The slowness was useful at the time when the code was written, but I don't > think it would buy us as much nowadays, expect the slowness be halved from > time to time, not to mention the use of distributed techniques to > accelerate the build of dictionaries. The goal is to make the attacker *have* to use distributed techniques and to buy more gear, rather than simply be able to brute them all in a few minutes on a single cheap PC. MD5_SLOW is the factor by which you increase the attacker's cost; it is easy for the defender to go very high here because checking any one password is still fast. Distributed attacks existed when PHK wrote the code originally, too -- I don't think anything has fundamentally changed since then. Attackers use arrays of GPUs now? Ok, increase MD5_SLOW some more. > Second, recent research has shown MD5 to be vulnerable to collision > attacks [1] by the end of 2008. I'm not sure that attack against MD5 is relevant here, because we're not using it in a way where collisions hurt. (Someone correct me if I'm wrong.) In fact, moving to a modern hash would weaken the defense, because e.g. Skein is brilliantly fast -- the opposite of our goal. See also: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html """The major advantage of adaptive hashing is that you get to tune it. As computers get faster, the same block of code continues to produce passwords that are hard to crack.""" From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:18:50 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BC99106566B for ; Thu, 28 Jan 2010 20:18:50 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id E6F428FC1A for ; Thu, 28 Jan 2010 20:18:49 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id 378D631E2C6A; Thu, 28 Jan 2010 12:18:57 -0800 (PST) Date: Thu, 28 Jan 2010 12:18:57 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20100128201857.GP892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100128151026.5738b6c1.wmoran@collaborativefusion.com> User-Agent: Mutt/1.4.2.3i Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:18:50 -0000 For backwards compatibility, which do people prefer: Creating a new $N$ prefix every time we re-tune the algorithm, or using a new notation to say how many times this password was hashed? For example: $1.1000$, $1.100000$, et c.? I prefer the latter. It can work with Blowfish, too, and anything else people come up with in the future. From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:22:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9D1C106566C for ; Thu, 28 Jan 2010 20:22:52 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout026.mac.com (asmtpout026.mac.com [17.148.16.101]) by mx1.freebsd.org (Postfix) with ESMTP id 91ADE8FC0C for ; Thu, 28 Jan 2010 20:22:52 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp026.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KWZ00CQM4LXWG30@asmtp026.mac.com> for freebsd-security@freebsd.org; Thu, 28 Jan 2010 12:22:52 -0800 (PST) X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1001280172 From: Chuck Swiger In-reply-to: <20100128151026.5738b6c1.wmoran@collaborativefusion.com> Date: Thu, 28 Jan 2010 12:22:45 -0800 Message-id: <765BF30E-49B7-4EDB-A1FC-41D72AEE1EAA@mac.com> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> To: Bill Moran X-Mailer: Apple Mail (2.1077) Cc: Chris Palmer , freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:22:52 -0000 Hi-- On Jan 28, 2010, at 12:10 PM, Bill Moran wrote: > This would also introduce a complete incompatibility between systems. > I, for one, frequently copy password files from one system to another. > I expect $1$ to be compatible on all systems. Exactly. Just like classic DES passwords were portable to all platforms. > If a new algorithm is to be used, why even start with md5? Why not > start with something that's inherently stronger and more CPU intensive? >> > From there, assign it a new algorithm number. See the "Modular Crypt" > section of crypt(3). Then compatibility is maintained. +1. We're probably fine with MD5 password hashes against all but extreme measures for some time to come, but adding SHA-1 and being ready for whatever algorithm(s) might be chosen by NIST for SHA-3 would be a fine thing to do. Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:56:38 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F02931065676 for ; Thu, 28 Jan 2010 20:56:38 +0000 (UTC) (envelope-from antoine.brodin.freebsd@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 801BC8FC08 for ; Thu, 28 Jan 2010 20:56:38 +0000 (UTC) Received: by bwz5 with SMTP id 5so950969bwz.3 for ; Thu, 28 Jan 2010 12:56:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=XWYkIfheAanOk8f+rxN4he2n5ztV6bzN8yfVPSxJ4PI=; b=mzPg5+78CDkypFoGRqbDIXvckAfzJrkgppAi5v8h1RsKOVIuJgM9Mkz8A3MuYMUsnS BWAizzseOkZ0/kL0KGy0fejRifv/4vDyoi4BiD+ueb0uB2Rb0A8DvhDYrgj3otFl7YDW /TLljol74/3sMxlrlixVL6EY0IYVyK1Ta+fs8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=nqLYv23n5OPOZ6j8+MEr6No+GEmC35LGqXgAQApvgzmJwiwiikV6aflyIwD9bfhnsn V3VCJN63IE3lvdW/6eF0rs1LQily9ImyIKeIh8DUOKmgaXDM1mH1VGezTdc7eOzP5nDk WGqKuuWP4e3wTducmMifenLWWGLIy93DHo1b4= MIME-Version: 1.0 Sender: antoine.brodin.freebsd@gmail.com Received: by 10.239.190.15 with SMTP id v15mr60207hbh.51.1264710599492; Thu, 28 Jan 2010 12:29:59 -0800 (PST) In-Reply-To: <20100128201857.GP892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> Date: Thu, 28 Jan 2010 21:29:59 +0100 X-Google-Sender-Auth: bf565ed967a8b5f1 Message-ID: From: Antoine Brodin To: Chris Palmer Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:56:39 -0000 On Thu, Jan 28, 2010 at 9:18 PM, Chris Palmer wrote: > For backwards compatibility, which do people prefer: Creating a new $N$ > prefix every time we re-tune the algorithm, or using a new notation to say > how many times this password was hashed? For example: $1.1000$, $1.100000$, > et c.? You may want to have a look at http://people.redhat.com/drepper/SHA-crypt.txt and freebsd PR 124164. Cheers, Antoine From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 21:06:20 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 988161065679 for ; Thu, 28 Jan 2010 21:06:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2BAD78FC08 for ; Thu, 28 Jan 2010 21:06:20 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id EE028A5D3F1; Fri, 29 Jan 2010 05:06:18 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id nt1C2NjYCK+F; Fri, 29 Jan 2010 05:06:10 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 2693EA5D377; Fri, 29 Jan 2010 05:06:08 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=aXo42ZT9RdMhHQIokNc0lZ6a0q8G8ByM0KaflNmN6say/cn9ZMzk8BQmWD/9fQzxg VQEGE5j6wgchipv63ZvGQ== Message-ID: <4B61FC3C.1050905@delphij.net> Date: Thu, 28 Jan 2010 13:06:04 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100122 Thunderbird/3.0.1 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: Chris Palmer References: <20100128182413.GI892@noncombatant.org> <4B61EBDE.1040604@delphij.net> <20100128201100.GO892@noncombatant.org> In-Reply-To: <20100128201100.GO892@noncombatant.org> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 21:06:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/01/28 12:11, Chris Palmer wrote: > Xin LI writes: > >> The slowness was useful at the time when the code was written, but I don't >> think it would buy us as much nowadays, expect the slowness be halved from >> time to time, not to mention the use of distributed techniques to >> accelerate the build of dictionaries. > > The goal is to make the attacker *have* to use distributed techniques and to > buy more gear, rather than simply be able to brute them all in a few minutes > on a single cheap PC. MD5_SLOW is the factor by which you increase the > attacker's cost; it is easy for the defender to go very high here because > checking any one password is still fast. Distributed attacks existed when > PHK wrote the code originally, too -- I don't think anything has > fundamentally changed since then. Attackers use arrays of GPUs now? Ok, > increase MD5_SLOW some more. Isn't it a losing battle, if we increase something linearly to defeat something growing in geometric order? Defenders must carefully protect all weak points, while the attacker simply go the weakest chain of the whole system. >> Second, recent research has shown MD5 to be vulnerable to collision >> attacks [1] by the end of 2008. > > I'm not sure that attack against MD5 is relevant here, because we're not > using it in a way where collisions hurt. (Someone correct me if I'm wrong.) Yes and no. Collision attacks themselves would do nothing against our scenario. The design in crypt-md5.c not only "slow down" the computation, but also introduced additional protection by using intermediate hashes when doing the computation, like OPIE, which makes collision harder to use. > In fact, moving to a modern hash would weaken the defense, because e.g. > Skein is brilliantly fast -- the opposite of our goal. Modern hash algorithms are fast, but fast by itself is not anything wrong. Another benefit newer hash algorithms usually give is much more output bits, and every bit in the output, doubles the space needed to store the dictionary needed by the attacker, as well as the numbers of samples they presumably need to compute, while halving the chance they generate a collision for one given round. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLYfw8AAoJEATO+BI/yjfBTkIIAIp7NzGUdxqoRw7MbK/TzfOH Rx2cQzn/ld0eVTdPLHWBCShPgajcWiH99j3XPU7nj+JSl+B3qitmEu+Am/zT5GhZ wv8B9Vp+0aHrsOTdVEGw4yYHtE93VDEAzkdJ1PZndVJl/TSAWoxvIfkIkuLUJMp8 9zO53dSkM1EzIveTk5lCbDErYL8AlN+A1tIeycRTaFUhEbbRWzvcRzZ9iqCfUoB9 3WvHMykbFYfLHHEbT0dwQ3M1JzDDl51sBqxGUEUYlMkvfgrBa29r+LpvxO6+8ZiY aHrXZFU5O5RGNlJSRbbT0CkFKkpVWmLkyvJ2zhDEoIQx9Hpn8YRta6JqushEW8o= =ZB3V -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 21:09:30 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DACAE106566C for ; Thu, 28 Jan 2010 21:09:30 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 82D408FC0C for ; Thu, 28 Jan 2010 21:09:30 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 98B44A5D438; Fri, 29 Jan 2010 05:09:29 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id YI8W+zQosKpW; Fri, 29 Jan 2010 05:09:23 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id C0076A5D408; Fri, 29 Jan 2010 05:09:22 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=QAkYD640s3vZVOCqGNw7EAGNf5m7WQkgOVGUqcwsSuUnfQY7RUW2iFedltjdxW75i yajLEnjIXzQnJ3hhbK4gg== Message-ID: <4B61FCFF.6040207@delphij.net> Date: Thu, 28 Jan 2010 13:09:19 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100122 Thunderbird/3.0.1 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> In-Reply-To: <20100128201857.GP892@noncombatant.org> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 21:09:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/01/28 12:18, Chris Palmer wrote: > For backwards compatibility, which do people prefer: Creating a new $N$ > prefix every time we re-tune the algorithm, or using a new notation to say > how many times this password was hashed? For example: $1.1000$, $1.100000$, > et c.? I'd vote for $1.nnnn$, as a good side effect it would be tunable by the administrators who want to fine tune the round number as need. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLYfz/AAoJEATO+BI/yjfBEXsIAIr2qzcNDVFDoZ2OWr6tAeZh 5Ew0LcrGKwMnbhwhn1lpOopJks/43JnX85YScPgpcCuDDyG8mev8kjwnuXpl0iOr fTMTgznuzIkHT6DcPfQYc2jcaMjR3TzSy8bTFOilrnkuQr0kPHAiQNrnrUtAKyxz Ss0JBjYboSVqtOG58fltkPB0XVoXwBSy8Y4eG+jwStn0qDPmASlZ1TaDvxQWkp9/ 4X7zCK9NCQa/VH94VnbX4uFn3uiLH+IXrUISQcgd9QUkOrswSpdyjSGwV9xkQXWn oiEQP0eVMPWWpesFjhcppSq+2gvsRRow8IpPUSgH2aZDVleZxe9/pEPyyl+bNCk= =rEMy -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 21:56:05 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 340B9106568D for ; Thu, 28 Jan 2010 21:56:05 +0000 (UTC) (envelope-from rnodal@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id C25228FC0A for ; Thu, 28 Jan 2010 21:56:04 +0000 (UTC) Received: by ewy10 with SMTP id 10so1292918ewy.3 for ; Thu, 28 Jan 2010 13:56:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=4p+euvvT+3fK0T6FlU/L3wk5j+b/lE2ouL8l1SbYPXE=; b=JtlEAnMBb9nNZRICUDnODs66x70tdCnOSX0Pggii8O5gk19voC/i71G/3DeedQ1bFE SfPc+i9CFS8EHAtk/X4OjikmEu7t0CsJhwWBGp9pBV1he4wXtKbH3G+nF3lIxdoIFm7Y JzQoclTf7e7df3qEe2PpngRtdKALZziOkPgDE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=caCDQcsT3A5vfK2LOT1x2Wjo9LSH3YBGa7ffWH8lYblkCWRL67nJTiSwnf5TmdaCRW 0uzuEq9oPGfqGCkALSjEFSxGemM+YyiCJ0ju3NJI2XYb8uPZh6NAlJII1rYqnEHbNq3V eZlDvmn75hyHwQlUAPXjqKbtkQdrAcld0SHzY= MIME-Version: 1.0 Received: by 10.213.42.205 with SMTP id t13mr2628530ebe.4.1264713903191; Thu, 28 Jan 2010 13:25:03 -0800 (PST) In-Reply-To: <20100128182413.GI892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> From: Roger Date: Thu, 28 Jan 2010 16:24:43 -0500 Message-ID: <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 21:56:05 -0000 What would be the consequence of having an algorithm that will increase the amount of time needed to check the next password after a failure. In other words, check the first one fast, the second try it will be slower, then the third even slower and then the forth even slower etc. Is this how it is currently implemented? (Sorry I did not read the code). -r From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 21:57:20 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C855E1065672 for ; Thu, 28 Jan 2010 21:57:20 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp5.server.rpi.edu (smtp5.server.rpi.edu [128.113.2.225]) by mx1.freebsd.org (Postfix) with ESMTP id 8CD3D8FC1A for ; Thu, 28 Jan 2010 21:57:20 +0000 (UTC) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id o0SLusZN020703; Thu, 28 Jan 2010 16:56:56 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <4B61FCFF.6040207@delphij.net> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B61FCFF.6040207@delphij.net> Date: Thu, 28 Jan 2010 16:56:53 -0500 To: d@delphij.net, freebsd-security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 0.00 () [Hold at 20.00] 22490(-25) X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.225 Cc: Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 21:57:20 -0000 At 1:09 PM -0800 1/28/10, Xin LI wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 2010/01/28 12:18, Chris Palmer wrote: >> For backwards compatibility, which do people prefer: Creating a new $N$ >> prefix every time we re-tune the algorithm, or using a new notation to say >> how many times this password was hashed? For example: $1.1000$, $1.100000$, >> et c.? > >I'd vote for $1.nnnn$, as a good side effect it would be tunable by the >administrators who want to fine tune the round number as need. Might want to make it something like $1.nnn.bbb$, so the admin can specify the number of bits as well as the number of rounds. And then pick some algorithm where those two values make sense. :-) By going for something tunable, users don't HAVE to change their password the moment the sysadmin decides that it's time for better protection. The sysadmin can change the numbers used when the user changes their password, and then gradually transition everyone to the stronger encryption. It also means that users could decide to use stronger encryption if they are willing to wait for it, without the sysadmin needing to do anything. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:13:49 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 457AE106568B for ; Thu, 28 Jan 2010 22:13:49 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout023.mac.com (asmtpout023.mac.com [17.148.16.98]) by mx1.freebsd.org (Postfix) with ESMTP id 2BF898FC18 for ; Thu, 28 Jan 2010 22:13:49 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp023.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KWZ00FHC9QU8160@asmtp023.mac.com> for freebsd-security@freebsd.org; Thu, 28 Jan 2010 14:13:43 -0800 (PST) X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1001280197 From: Chuck Swiger In-reply-to: Date: Thu, 28 Jan 2010 14:13:42 -0800 Message-id: <75297887-C475-451D-B4A1-CB9D3A5BD2CA@mac.com> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B61FCFF.6040207@delphij.net> To: Garance A Drosihn X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:13:49 -0000 Hi-- On Jan 28, 2010, at 1:56 PM, Garance A Drosihn wrote: >> On 2010/01/28 12:18, Chris Palmer wrote: >>> For backwards compatibility, which do people prefer: Creating a new $N$ >>> prefix every time we re-tune the algorithm, or using a new notation to say >>> how many times this password was hashed? For example: $1.1000$, $1.100000$, >>> et c.? >> >> I'd vote for $1.nnnn$, as a good side effect it would be tunable by the >> administrators who want to fine tune the round number as need. > > Might want to make it something like $1.nnn.bbb$, so the admin can specify > the number of bits as well as the number of rounds. And then pick some > algorithm where those two values make sense. :-) As Antoine points out in the link mentioned: > The integration into existing systems is easy if those systems already > support the MD5-based solution. Ever since the introduction of the > MD5-based method an extended password format is in used: > > $$$ >> > [ ... ] > For the SHA-based methods the SALT string can be a simple string of > which up to 16 characters are used. The MD5-based implementation used > up to eight characters.. It was decided to allow one extension which > follows an invention Sun implemented in their pluggable crypt > implementation. If the SALT strings starts with > > rounds=$ > > where N is an unsigned decimal number the numeric value of N is used > to modify the algorithm used. As will be explained later, the > SHA-based algorithm contains a loop which can be run an arbitrary > number of times. The more rounds are performed the higher the CPU > requirements are. This is a safety mechanism which might help > countering brute-force attacks in the face of increasing computing > power. > > The default number of rounds for both algorithms is 5000. To ensure > minimal security and stability on the other hand minimum and maximum > values for N are enforced: > > minimum for N = 1,000 > maximum for N = 999,999,999 > > Any selection of N below the minimum will cause the use of 1,000 > rounds and a value of 1 billion and higher will cause 999,999,999 > rounds to be used. In these cases the output string produced by the > crypt function will not have the same salt as the input salt string > since the correct, limited rounds value is used in the output. This seems to address the suggestion being made by Chris (and +1'ed by others) in a fashion that is compatible with other implementations.... Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:18:39 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9215A106566C for ; Thu, 28 Jan 2010 22:18:39 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp7.server.rpi.edu (smtp7.server.rpi.edu [128.113.2.227]) by mx1.freebsd.org (Postfix) with ESMTP id 56BFC8FC12 for ; Thu, 28 Jan 2010 22:18:39 +0000 (UTC) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp7.server.rpi.edu (8.13.1/8.13.1) with ESMTP id o0SMIQ11028164; Thu, 28 Jan 2010 17:18:26 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B61FCFF.6040207@delphij.net> Date: Thu, 28 Jan 2010 17:18:25 -0500 To: d@delphij.net, freebsd-security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 0.00 () [Hold at 20.00] 22490(-25) X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.227 Cc: Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:18:39 -0000 At 4:56 PM -0500 1/28/10, Garance A Drosihn wrote: >At 1:09 PM -0800 1/28/10, Xin LI wrote: >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>On 2010/01/28 12:18, Chris Palmer wrote: >>> For backwards compatibility, which do people prefer: Creating a new $N$ >>> prefix every time we re-tune the algorithm, or using a new notation to say >>> how many times this password was hashed? For example: $1.1000$, $1.100000$, >>> et c.? >> >>I'd vote for $1.nnnn$, as a good side effect it would be tunable by the >>administrators who want to fine tune the round number as need. > >Might want to make it something like $1.nnn.bbb$, so the admin can specify >the number of bits as well as the number of rounds. And then pick some >algorithm where those two values make sense. :-) > > >By going for something tunable, users don't HAVE to change their password >the moment the sysadmin decides that it's time for better protection. The >sysadmin can change the numbers used when the user changes their password, >and then gradually transition everyone to the stronger encryption. > >It also means that users could decide to use stronger encryption if they >are willing to wait for it, without the sysadmin needing to do anything. Also note that we might not want the "nnn" number to be an exact count of the number of times it was hashed. For instance, it might be that the algorithm works best if the number is always hashed a prime-number of times, or that it's always a power-of-2 increase. So a value of 3 for "nnn" just means "more times than 2 would do", and not necessarily "exactly one more time than would be done for 2". This is just meant as something we might want to consider. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:20:34 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F8CD1065676 for ; Thu, 28 Jan 2010 22:20:34 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp6.server.rpi.edu (smtp6.server.rpi.edu [128.113.2.226]) by mx1.freebsd.org (Postfix) with ESMTP id CEE938FC23 for ; Thu, 28 Jan 2010 22:20:33 +0000 (UTC) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp6.server.rpi.edu (8.13.1/8.13.1) with ESMTP id o0SMKUv7028779; Thu, 28 Jan 2010 17:20:31 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <75297887-C475-451D-B4A1-CB9D3A5BD2CA@mac.com> References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B61FCFF.6040207@delphij.net> <75297887-C475-451D-B4A1-CB9D3A5BD2CA@mac.com> Date: Thu, 28 Jan 2010 17:20:29 -0500 To: Chuck Swiger From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 0.00 () [Hold at 20.00] 22490(-25) X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.226 Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:20:34 -0000 At 2:13 PM -0800 1/28/10, Chuck Swiger wrote: >Hi-- > >On Jan 28, 2010, at 1:56 PM, Garance A Drosihn wrote: > > >> Might want to make it something like $1.nnn.bbb$, so the admin can specify >> the number of bits as well as the number of rounds. And then pick some >> algorithm where those two values make sense. :-) > >As Antoine points out in the link mentioned: > >> The integration into existing systems is easy if those systems already >> support the MD5-based solution. Ever since the introduction of the >> MD5-based method an extended password format is in used: >> > > $$$ >This seems to address the suggestion being made by Chris (and +1'ed >by others) in a fashion that is compatible with other >implementations.... Ah, yes, this seems like a fine idea. (so please ignore the message I sent about 45 seconds ago!) -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:36:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06F5E106566C for ; Thu, 28 Jan 2010 22:36:55 +0000 (UTC) (envelope-from mandrews@bit0.com) Received: from magnum.bit0.com (magnum.bit0.com [207.246.88.226]) by mx1.freebsd.org (Postfix) with ESMTP id BB0018FC14 for ; Thu, 28 Jan 2010 22:36:54 +0000 (UTC) Received: from millenniumforce.int.bit0.com (nat.bit0.com [207.246.88.210]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by magnum.bit0.com (Postfix) with ESMTPSA id 3D4418923 for ; Thu, 28 Jan 2010 17:20:29 -0500 (EST) Message-ID: <4B620DAC.4080608@bit0.com> Date: Thu, 28 Jan 2010 17:20:28 -0500 From: Mike Andrews User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> In-Reply-To: <20100128201857.GP892@noncombatant.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:36:55 -0000 On 1/28/10 3:18 PM, Chris Palmer wrote: > For backwards compatibility, which do people prefer: Creating a new $N$ > prefix every time we re-tune the algorithm, or using a new notation to say > how many times this password was hashed? For example: $1.1000$, $1.100000$, > et c.? > > I prefer the latter. It can work with Blowfish, too, and anything else > people come up with in the future. The Blowfish one already has that feature. A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my /etc/login.conf files to set "passwd_format=blf" and all my password hashes are in the format "$2a$04$salthash" -- with the "04" being the (default) number of rounds of Blowfish to run. I have some users where it's set to 11 rounds, and as you'd expect, it puts a pretty big hurt on the ability of things like John The Ripper to attack the hashes. Just making sure we aren't suggesting reinventing a wheel here :) Even 4 rounds of Blowfish is far slower than 1000 rounds of MD5, and 1000 rounds of MD5 is far slower than DES. And yeah, fear of MD5 collisions is totally irrelevant here. If you're really that worried about MD5 anyway, just change "passwd_format=md5" to "passwd_format=blf" in your login.conf's default section and be happy :) From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:37:06 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 998B4106566B for ; Thu, 28 Jan 2010 22:37:06 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 5DDB38FC19 for ; Thu, 28 Jan 2010 22:37:06 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id EA4777EA40; Thu, 28 Jan 2010 22:37:04 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.3/8.14.3) with ESMTP id o0SLw5jk003465; Thu, 28 Jan 2010 21:58:06 GMT (envelope-from phk@critter.freebsd.dk) To: Chris Palmer From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 28 Jan 2010 10:24:13 PST." <20100128182413.GI892@noncombatant.org> Date: Thu, 28 Jan 2010 21:58:05 +0000 Message-ID: <3464.1264715885@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:37:06 -0000 In message <20100128182413.GI892@noncombatant.org>, Chris Palmer writes: > /* > * and now, just to make sure things don't run too fast > * On a 60 Mhz Pentium this takes 34 msec, so you would > * need 30 seconds to build a 1000 entry dictionary... > */ A number of points: 1. I'm not sure slowing it down buys very much security, as far as I know, brute-forcing $1$ is still out of the question, mostly because of the wide salt. 2. Most "brute force" attacks are dictionary attacks, and slowing the algorithm down for those is pointless: The bad guys have grids of Nx100k machines to grind. Even making it take half a second will not inconvenience them much. 3. Compatibility: as far as I know, we have a configurable mechanism for choosing preferred crypt algo for new passwords, and autodetection on old passwords. 4. Encoding #rounds: one of the OpenBSD derivatives for $1$ does that, consider adoption, rather than NIH. Increased strength against rainbow and dictionaries can be had by making the low bits in #rounds a salt. 5. Cross system compat: A valid concern in some environments (See #3) and not in others. Certainly not a valid reason to never change algorithm again (see #6). 6. The major point behind $1$ was lost: You can change algorithm with a frequency of twice your password expiry time. My intent back in the middle of the nineties was not to write the "endlösung" for password encryption, but rather to point out that password hashing is "kleenex-crypto" which can, and should, be swapped at regular intervals. Every 15 years may be sufficiently regular. 7. Consider preempting the bike-shed, by asking some card-carrying cryptographers for the correct way to employ a crypto-hash algorithm in a way that does soak up some CPU time. 8. A number of interesting ideas was battered about back when $1$ was introduced, check mail archives and read the OpenBSD paper, even though it is mostly plagarism. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:40:26 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 881CA106568F for ; Thu, 28 Jan 2010 22:40:26 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id 187678FC26 for ; Thu, 28 Jan 2010 22:40:25 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id l26so115727fgb.13 for ; Thu, 28 Jan 2010 14:40:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=eD5hnHBxxGxviZALFD9jswgw5wOKu/nRIwBADkwDBIs=; b=oR9KmkH3hv2R4m5qBQVKT34tSghrRDNEVzWCLu3/GMxSWKT/niPuzVJXV863R/9CTk 4jWnK9XWN4iuTHl0mLrXjL6MtiF9TYc0thFzTgZm4Kl8AGchuiCvYmQyVwDC/1hKwMjH yCi/3T2BbrpLWb96NfdeQD4XffKdhUCqKkd3M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=sbIpZGyeUXUmvmBoANyf3SG1Rbv68HbASeKGZqSwxxJX3CkWUQTufbYKD37B0XodbL q3u0ZNX1VmZ2ZvPR/F0XMaUFXVxYG25cKNHD3SB0C0dGfL9g8buZ6vn04SdA+j/2nR1d BoLz6Xb6LA0TLusqQ7SZu1zT/qL80UsQVSaLA= Received: by 10.87.67.24 with SMTP id u24mr682860fgk.21.1264718424922; Thu, 28 Jan 2010 14:40:24 -0800 (PST) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id e11sm3004655fga.8.2010.01.28.14.40.23 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jan 2010 14:40:24 -0800 (PST) Date: Thu, 28 Jan 2010 22:40:22 +0000 From: RW To: freebsd-security@freebsd.org Message-ID: <20100128224022.396588dc@gumby.homeunix.com> In-Reply-To: <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> X-Mailer: Claws Mail 3.7.4 (GTK+ 2.18.6; i386-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:40:26 -0000 On Thu, 28 Jan 2010 16:24:43 -0500 Roger wrote: > What would be the consequence of having an algorithm that will > increase the amount of time needed to check the next password after a > failure. The point of slowing down the algorithm is to protect against off-line attack where an attacker has gained access to a copy of master.passwd. Any hashing has to be done when the password is set, so it's fixed thereafter. From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:44:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B31E010656A6 for ; Thu, 28 Jan 2010 22:44:25 +0000 (UTC) (envelope-from mandrews@bit0.com) Received: from magnum.bit0.com (magnum.bit0.com [207.246.88.226]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2DB8FC31 for ; Thu, 28 Jan 2010 22:44:25 +0000 (UTC) Received: from magnum.int.bit0.com (localhost [127.0.0.1]) by magnum.bit0.com (Postfix) with ESMTP id C90B4E8EC for ; Thu, 28 Jan 2010 17:44:24 -0500 (EST) X-Virus-Scanned: amavisd-new at bit0.com Received: from magnum.bit0.com ([127.0.0.1]) by magnum.int.bit0.com (magnum.int.bit0.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roU6x9JJVKHm for ; Thu, 28 Jan 2010 17:44:21 -0500 (EST) Received: from beast.int.bit0.com (beast.int.bit0.com [172.27.0.2]) by magnum.bit0.com (Postfix) with ESMTP for ; Thu, 28 Jan 2010 17:44:21 -0500 (EST) Date: Thu, 28 Jan 2010 17:44:19 -0500 (EST) From: Mike Andrews X-X-Sender: mandrews@beast.int.bit0.com To: freebsd-security@freebsd.org In-Reply-To: <4B620DAC.4080608@bit0.com> Message-ID: References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:44:25 -0000 On Thu, 28 Jan 2010, Mike Andrews wrote: > On 1/28/10 3:18 PM, Chris Palmer wrote: >> For backwards compatibility, which do people prefer: Creating a new $N$ >> prefix every time we re-tune the algorithm, or using a new notation to say >> how many times this password was hashed? For example: $1.1000$, $1.100000$, >> et c.? >> >> I prefer the latter. It can work with Blowfish, too, and anything else >> people come up with in the future. > > The Blowfish one already has that feature. > > A long time ago (like FreeBSD 6.something, maybe earlier) I changed all my > /etc/login.conf files to set "passwd_format=blf" and all my password hashes > are in the format "$2a$04$salthash" -- with the "04" being the (default) > number of rounds of Blowfish to run. I have some users where it's set to 11 > rounds, and as you'd expect, it puts a pretty big hurt on the ability of > things like John The Ripper to attack the hashes. Actaully that's not the number of rounds, it's the log2() of the number of rounds. So 04 is really 2^4=16 rounds (the minimum), 11 is 2^11=2048 rounds, and the maximum is 31 -- which as the source code states, oughta scale pretty well for a while. :) See /usr/src/secure/lib/libcrypt/crypt-blowfish.c There is probably a login.conf knob to raise the default number of rounds beyond 2^4. But the point remains: look at what FreeBSD already has. :) From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 22:53:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB0DF1065696 for ; Thu, 28 Jan 2010 22:53:51 +0000 (UTC) (envelope-from rnodal@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 60B498FC13 for ; Thu, 28 Jan 2010 22:53:51 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so313422eye.9 for ; Thu, 28 Jan 2010 14:53:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=ZBXahKQlOSgyqWvSMe/W46BegFLc2o9axysJ1IVdacc=; b=w/rMdV2M9GRdxsFGZGD/NRYtMgQ19cCiZIqyzY3DsCwlBmtANrIRc72XIqYClq+hX+ xNvi2m9FKiZNTprQNW/8x7f9CU2pCQ+opyLOpLN/YWLh2/x8MHOLOotqAhYFQTVNSnoV En+vRpd+xC/1JX3iW/Zym10+lDWnjOEp7OKos= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=KQCfIAghFDLkN4z3zd0dUa4Qa6fX+t6btRctHJqAOJHXFj17k6zxJy/OkqAMET2hcH hfMdQHkS5wXSYM184wZGKugOakD0E2bge16KvF/As8DrXMhmJvkHNm4FZPwPiqxzbSfZ R1ROzfZNp/7k7tUny9dqx1UWUQFQLrBF/qPuk= MIME-Version: 1.0 Received: by 10.213.104.69 with SMTP id n5mr1276446ebo.90.1264719230347; Thu, 28 Jan 2010 14:53:50 -0800 (PST) In-Reply-To: <20100128224022.396588dc@gumby.homeunix.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> From: Roger Date: Thu, 28 Jan 2010 17:53:30 -0500 Message-ID: <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:53:51 -0000 > > The point of slowing down the algorithm is to protect against off-line > attack where an attacker has gained access to a copy of master.passwd. When say "off-line attack" do you refer to the attacker running a brute force attack on his/her machine? I'm assuming that by using a slow algorithm the attacker is forced to use the same slow algorithm to check the passwords? > Any hashing has to be done when the password is set, so it's fixed > thereafter. What do you mean by that? Thank you very much for taking the time to answer. -r From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 23:21:43 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69BC51065694 for ; Thu, 28 Jan 2010 23:21:43 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.freebsd.org (Postfix) with ESMTP id 34E858FC14 for ; Thu, 28 Jan 2010 23:21:43 +0000 (UTC) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.14.4/8.14.1) with ESMTP id o0SNBWeh003679 for ; Thu, 28 Jan 2010 15:11:33 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.14.4/8.13.4/Submit) id o0SNBWp4003678; Thu, 28 Jan 2010 15:11:32 -0800 (PST) Date: Thu, 28 Jan 2010 15:11:32 -0800 (PST) From: Matthew Dillon Message-Id: <201001282311.o0SNBWp4003678@apollo.backplane.com> To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 23:21:43 -0000 Just give up and turn off tunneled plaintext passwords over the network. No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc. Just run sshd and put this in your sshd_config: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no Local passwords can still be used for things like a (restricted) sudo, console root logins, and X/xdm. Disallowing remote passworded logins removes the primary attack vector, which is over the network. You'd probably want to adjust /etc/login.access too since for some reason beyond my comprehension /usr/bin/login can be run from pty's to cross-login locally (with a password). So even if the attacker knows the password he is SOL without physical access. -- The problem with stolen master.passwd files is that you often don't know the file has been stolen until the hacker actually starts using the compromised accounts. In otherwords, the hacker has as much time as he wants to break the file before having to worry about someone reacting to it. This makes the concept of multiplying the analysis cost almost completely worthless above and beyond everything else mentioned. Mostly these protections against stolen master.passwd files aren't so much to protect the machine against being hacked (since it was hacked already to get the file in the first place), but instead to reduce the work involved when cleaning up after a hack incident. It's best to limit the damage by making the stolen file simply not be useful to a remote attacker. -Matt Matthew Dillon From owner-freebsd-security@FreeBSD.ORG Fri Jan 29 00:15:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3743B106566B for ; Fri, 29 Jan 2010 00:15:10 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (chello089077043238.chello.pl [89.77.43.238]) by mx1.freebsd.org (Postfix) with ESMTP id 7DEB38FC2B for ; Fri, 29 Jan 2010 00:15:09 +0000 (UTC) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 6C13745F47; Fri, 29 Jan 2010 00:55:44 +0100 (CET) Received: from localhost (chello089077043238.chello.pl [89.77.43.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 1ECD545C9F; Fri, 29 Jan 2010 00:55:39 +0100 (CET) Date: Fri, 29 Jan 2010 00:55:35 +0100 From: Pawel Jakub Dawidek To: Chris Palmer Message-ID: <20100128235535.GA1808@garage.freebsd.pl> References: <20100128182413.GI892@noncombatant.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <20100128182413.GI892@noncombatant.org> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 9.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.5 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 00:15:10 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 28, 2010 at 10:24:13AM -0800, Chris Palmer wrote: > See your copy of /usr/src/lib/libcrypt/crypt-md5.c: [...] > This algorithm is still the default on FreeBSD 8. (Blowfish is available = -- > but has it been tuned for slowness either? I have not checked.) The purpo= se > of these functions is to be slow, but the above has not been slow for yea= rs. > Hence this patch: [...] This is wrong approach. It should be done using PKCS#5v2 just like geli(8) does it. It even calculates number of iterations so the operation completes in reasonable amount of time on your machine (eg. 1 second). It also uses HMAC/SHA512. On some recent CPUs (amd64) it should be possible for 2^20 iterations to complete in reasonable amount of time. Even strong passwords have no more than five bits of entropy per character (probably much less if it is something possible to remember), so to brute-force one character you need 2^5 interations, which means that strong eight characters password needs 2^40 iterations for full brute-force. Adding 2^20 iterations of PKCS#5v2 makes it 2^60, which is not bad. Of course if we assume that 2^20 of PKCS#5v2 takes one second, then it will take ~34865 years to fully brute-force it on one machine. Although you can safely assume that if you really have something to hide, an attacker will be able to use 100.000 nodes botnet, which leaves you with only ~127 days to change your password:) Remember that this is login password we are talking about, not password used for encryption, so all you want to protect it against is theft of /etc/master.passwd. All in all static passwords are for the weak that's why we (Wheel Systems) believe in easy to use one-time passwords:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFLYiP3ForvXbEpPzQRAm3WAJ4hH23ttMVJ6d+ne2EskGXeoAC1ggCbBO3X wY6QiWo7b4BQczLpiYR/abI= =izMe -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 29 00:23:37 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F03E106566C for ; Fri, 29 Jan 2010 00:23:37 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id D1BEF8FC13 for ; Fri, 29 Jan 2010 00:23:36 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50]) by smtp1.kolej.mff.cuni.cz (8.14.3/8.14.3) with ESMTP id o0SNXPkp064385; Fri, 29 Jan 2010 00:33:26 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <4B621EC5.3030400@obluda.cz> Date: Fri, 29 Jan 2010 00:33:25 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.7) Gecko/20100115 SeaMonkey/2.0.2 MIME-Version: 1.0 To: Mike Andrews References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 00:23:37 -0000 On 01/28/10 23:44, Mike Andrews: >> all my password hashes are in the format "$2a$04$salthash" -- with the "04" >> being the (default) number of rounds of Blowfish to run > There is probably a login.conf knob to raise the default number of > rounds beyond 2^4. No. The standard way of password change flow trough pam_unix.c. It call crypt(new_pass, salt) where salt is pseudo-random sequence. As such salt doesn't start with a magic, the default algorithm is selected. If it si blowfish, then crypt_blowfish(key, salt) is called. As the random salt doesn't start with $2a$ magic it is not considered to be '$2a$nn$salt'-like string. Then default number (04) is used all the times. Dan From owner-freebsd-security@FreeBSD.ORG Fri Jan 29 00:53:36 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B00371065676 for ; Fri, 29 Jan 2010 00:53:36 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-fx0-f226.google.com (mail-fx0-f226.google.com [209.85.220.226]) by mx1.freebsd.org (Postfix) with ESMTP id 3EEDB8FC14 for ; Fri, 29 Jan 2010 00:53:35 +0000 (UTC) Received: by fxm26 with SMTP id 26so10603fxm.13 for ; Thu, 28 Jan 2010 16:53:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=FTP5Lf8mr8iP4yzdpb9GuEAyJsEfDmX7ZA1pGvU3qb8=; b=krdt3HyzpO0EXSyzu2ad+OQjatwVt0dOyUnVT2ZkKXlFA09tKvKMj/2ScOnobR1Ovw sGM49GqQDCCXbXwOiwGvfPdLSzITKOWJj6pvF7/t8EbHLQmIPHBPREqOVMz8xpG6+nkh WBqEP6/QXwWta1y5jAepYxc0VNxU630yyId/U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=n/B0UOqbJOTqUptx3DmmdJi9Y1WYLzBi5ZM1gOuZpJcGnHWf+hDUkdBvC413OXkiPo IZIgf1SMxfIgs8IdYWbvfeoMAVuH5uEWAxMYuL78GO+pbcJXFpbmLZ0I+iZH7x26LZDz Un524sVWf25zYPDr3YG7CUIolz66FvhiLRuEk= Received: by 10.87.62.39 with SMTP id p39mr904363fgk.9.1264726413862; Thu, 28 Jan 2010 16:53:33 -0800 (PST) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id 3sm2944668fge.11.2010.01.28.16.53.32 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jan 2010 16:53:32 -0800 (PST) Date: Fri, 29 Jan 2010 00:53:30 +0000 From: RW To: freebsd-security@freebsd.org Message-ID: <20100129005330.1694c20f@gumby.homeunix.com> In-Reply-To: <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <9d972bed1001281453k3ae9753r6aee18ba4c3c120a@mail.gmail.com> X-Mailer: Claws Mail 3.7.4 (GTK+ 2.18.6; i386-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 00:53:36 -0000 On Thu, 28 Jan 2010 17:53:30 -0500 Roger wrote: > > > > The point of slowing down the algorithm is to protect against > > off-line attack where an attacker has gained access to a copy of > > master.passwd. > > When say "off-line attack" do you refer to the attacker running a > brute force attack on his/her machine? Yes > I'm assuming that by using a slow algorithm the attacker is forced to > use the same slow algorithm to check the passwords? Hopefully > > Any hashing has to be done when the password is set, so it's fixed > > thereafter. > The thread is about password hashing, which is not a mechanism to slow-down and back-off login attempts. From owner-freebsd-security@FreeBSD.ORG Fri Jan 29 02:05:29 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B41F71065670 for ; Fri, 29 Jan 2010 02:05:29 +0000 (UTC) (envelope-from rnodal@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id 4C03C8FC13 for ; Fri, 29 Jan 2010 02:05:28 +0000 (UTC) Received: by ewy10 with SMTP id 10so1503021ewy.3 for ; Thu, 28 Jan 2010 18:05:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=2DEjBBaTMZ8fgCHsWZhAJwYQ0qfHOHgn8UDBgaz4py0=; b=HNTYccDdt2DqGWG+wZeaA109wBWz2wqP2Xj6fCT3GPjZuO52IsMD9zhYx+MFpkcMmp N3+p50teFuOfxZzq6juKXs2+RIcN9eesrWTR5IX2Nz9ydZRZf4tZxxQ1+rID8z5jL2aK zQjYEeGVy0X6+DeG4wWP3ng/PWLDCDYYN5Ik0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=g/uVGtcFzEANOfX52tH0xNYDRgbKzdFl1D0vBE45RUZ+dR6X0CE+6S4gHJHMlvtKci d9kaOPHx62FCEKjB9nM5gEViEm57PAIJhIU+cJV2T2m5AP/FDfNmKTuwD8Hx32O5GMCH 5wKsQ7WhwD1KR6+3ZsyObsfAXt8ym/3BBn26s= MIME-Version: 1.0 Received: by 10.213.110.2 with SMTP id l2mr120515ebp.94.1264730728129; Thu, 28 Jan 2010 18:05:28 -0800 (PST) In-Reply-To: <20100128182413.GI892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> From: Roger Date: Thu, 28 Jan 2010 21:05:08 -0500 Message-ID: <9d972bed1001281805v14b6ea86pbdba94e5057a37a8@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 02:05:29 -0000 Thank you for the clarification. I apologize for interrupting the flow of the thread. -r