From owner-freebsd-security Sat Dec 29 21:27:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id EA7F037B417 for ; Sat, 29 Dec 2001 21:27:27 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 69CF82D; Sat, 29 Dec 2001 23:27:27 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id fBU5RPb80363; Sat, 29 Dec 2001 23:27:25 -0600 (CST) (envelope-from nectar) Date: Sat, 29 Dec 2001 23:27:25 -0600 From: "Jacques A. Vidrine" To: Allen Landsidel Cc: Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230052725.GB80312@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Allen Landsidel , Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG References: <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> User-Agent: Mutt/1.3.23.1i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Dec 30, 2001 at 12:16:33AM -0500, Allen Landsidel wrote: > At 04:30 AM 12/30/2001 +0000, Rik wrote: > >Salt is just some randomness thrown in so that you can't just make a > >standard dictionary to compare hashed passwords with. All you need to do > >is make the relevant number of random chars. Personally, I just run the > >current time as a string (from strftime(3)) through the hash, and take > >the first couple of chars as an index into an array of allowable chars > >(modulo the size of the array, obviously). > > That's a completely stupid way of generating a salt. ;) > > Actually, it's probably about as bad as you can get without abandoning the > salt completely. You are confusing salt with something that needs to be truly random. Password salts do not, and in fact in many systems the salt is a well-known transformation of the account name (e.g. see Kerberos). [snip] > Brute forcing this salt would be trivially easy just because of > that. You don't ``brute force'' salt. You have the salt. It is part of the crypted password. > Second, If you plan to use this in any sort of daemon, system utility, or > something that is otherwise logged, then there is no need to guess the salt > at all : The current date/time will be at worst in the log file for the > program, and at best in the last-accessed time for whatever the output file > is. There's no need to guess at all, because you already have it if you have the crypted password [1]. > At this point you're probably thinking "ok wiseguy, what's a good way to > generate the salt" and that goes to the very root of the problem; There > really are no "good" ways (outside of some sort of biometric) to generate > random numbers in a deterministic, finite-state machine like a PC. No, almost any method will do for salt, as long as the salt is mostly different for every username/password combination. The purpose of the salt is to prevent an attacker from precomputing the ciphertext version of a dictionary, and then just comparing the ciphertext for each word with the crypted password. For more information, see Schneier, ``Applied Cryptography 2nd Edition'', pp 52-53 or similar. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message