From owner-freebsd-security  Mon Nov 16 11:32:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA25959
          for freebsd-security-outgoing; Mon, 16 Nov 1998 11:32:09 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA25876
          for <freebsd-security@FreeBSD.ORG>; Mon, 16 Nov 1998 11:32:03 -0800 (PST)
          (envelope-from adam@weathership.homeport.org)
Received: (from adam@localhost)
	by weathership.homeport.org (8.8.8/8.8.5) id OAA11731;
	Mon, 16 Nov 1998 14:45:57 -0500 (EST)
Message-ID: <19981116144556.A11685@weathership.homeport.org>
Date: Mon, 16 Nov 1998 14:45:56 -0500
From: Adam Shostack <adam@homeport.org>
To: Robert Watson <robert+freebsd@cyrus.watson.org>,
        Thomas Valentino Crimi <tcrimi+@andrew.cmu.edu>
Cc: Terry Lambert <tlambert@primenet.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Would this make FreeBSD more secure?
References: <0qI4qUS00YUq09JbU0@andrew.cmu.edu> <Pine.BSF.3.96.981116124210.15576A-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93i
In-Reply-To: <Pine.BSF.3.96.981116124210.15576A-100000@fledge.watson.org>; from Robert Watson on Mon, Nov 16, 1998 at 12:46:24PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

My understanding of Dobbertin's attack is that he generates both
halves of a collision pair, not finds an arbitrary match to a
pre-existing value.  If he has the latter, that may or may not
transform into an attack on the password system.  You'll need to find
a printable (<9 character?) value that collides if you want to attack
the password system via this route.

Adam

On Mon, Nov 16, 1998 at 12:46:24PM -0500, Robert Watson wrote:
| On Mon, 16 Nov 1998, Thomas Valentino Crimi wrote:

| >   And then we have md5 passwords, arguably broken, now, but orders of
| > magnitudes better than DES.
| 
| I don't think I would consider md5 broken exactly.  Just subject to
| intermittent collisions.  Is there a deterministic (and fast) way to
| detect whether one is employing a hash subject to the described collision
| attack?  If so, perhaps we can add a piece of code that attempts a number
| of values of salt, resulting in a more friendly hash.
| 
| I prefer one-time passwords for security applications; on the other hand I
| eagerly await a nice (scalable) PK authentication system used with
| hardware keys.

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message