From owner-freebsd-current Tue Jun 20 00:08:37 1995 Return-Path: current-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA01211 for current-outgoing; Tue, 20 Jun 1995 00:08:37 -0700 Received: (from phk@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA01200 ; Tue, 20 Jun 1995 00:08:36 -0700 From: Poul-Henning Kamp Message-Id: <199506200708.AAA01200@freefall.cdrom.com> Subject: Re: Crypto code - an architectural proposal. To: mark@grondar.za (Mark Murray) Date: Tue, 20 Jun 1995 00:08:36 -0700 (PDT) Cc: terry@cs.weber.edu, wollman@halloran-eldar.lcs.mit.edu, current@freebsd.org In-Reply-To: <199506200621.IAA01213@grumble.grondar.za> from "Mark Murray" at Jun 20, 95 08:21:05 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1412 Sender: current-owner@freebsd.org Precedence: bulk > > > I agree that the hack-attack prevention is a poor reason for slowing down > > > crypt(). > > > > The MD5 based crypt() I wrote for 2.0 had this in mind. It is sufficiently > > slow that brute-force attacks are not fun, and it is frustrated by a > > millisecond timestamp so dictionary attacks become very bulky. > > The timestamp can be stripped down by anyone with access to the source. > OK, this does not help anyone bashing at the front door, but there are > those hackers who with a Sparc or an Alpha and the MD5 source will > really clobber a password file using Crack... > The timestamp cannot be stripped out by any known method at this point. I tried with a rather large network, and a really optimistic guess at a brute force attempt, including a factor 2 increase per year in speed still gives way over 100 years. > > Ten years from now it will probably have to be slowed down again :-( > > Who says some clever Maths/Crypto boffin hasn't got a faster algorithm > _now_? Look at fcrypt versus Classic crypt(3). MD5 isn't particular easy to speed up. Check the source. The MD5 crypt() is way stronger that DES crypt(). -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ?