From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 19:56:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 083061065672 for ; Thu, 28 Jan 2010 19:56:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id A122E8FC1E for ; Thu, 28 Jan 2010 19:56:27 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A7D17A5D1BE; Fri, 29 Jan 2010 03:56:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id SpOjKYm50JRz; Fri, 29 Jan 2010 03:56:19 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id A67DCA5D155; Fri, 29 Jan 2010 03:56:18 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=uB0Dbb2khtRBhC3+fhgf98Lq0DwZuTMDwqKI8gpCKAXcfC2GYWHe1oXiKZu17djlH 6QgEDUzBjCou5nRk1k2ag== Message-ID: <4B61EBDE.1040604@delphij.net> Date: Thu, 28 Jan 2010 11:56:14 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100122 Thunderbird/3.0.1 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> In-Reply-To: <20100128182413.GI892@noncombatant.org> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 19:56:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Chris, On 2010/01/28 10:24, Chris Palmer wrote: > See your copy of /usr/src/lib/libcrypt/crypt-md5.c: I'd appreciate your effort put into this but I feel necessary to say something on this topic. The slowness was useful at the time when the code was written, but I don't think it would buy us as much nowadays, expect the slowness be halved from time to time, not to mention the use of distributed techniques to accelerate the build of dictionaries. Second, recent research has shown MD5 to be vulnerable to collision attacks [1] by the end of 2008. It's time to switch to some better algorithm, maybe something like Skein, etc... [1] http://www.kb.cert.org/vuls/id/836068 - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLYeveAAoJEATO+BI/yjfBWzkH/icNHpEr5w/ulBlKe/fr/4Uo +ZrGj7SixbL4g6yLPd79JKoJpFZEdMlY9AnLTr3QT0/OwKyySwVXg7Fh+7LA3r+4 DqE4N2pZfIqD6maS7ccF6Yp+2JAN9BJG7O73W6fEhm0mRTPkdLWMnB1gMx6DymQh NQvx41QADmiN3jq6DapFJhQRDwFcxFzCsyg3eZ0nIwaCP+72HBPCEKEPro1JtLSF sm0uf0TIyaGTgMe4xcjtwdlRtMmNA0V5yZwGHOcW09cuxxt3n79BA2RrPVz/+6Tr KIa6LhNzoF1Eb4wfCSrSu2c4a6nM6+FSGT5fdpx/jkfr125W7sQYZuEVNzPWuxU= =LuLY -----END PGP SIGNATURE-----