From owner-freebsd-security@FreeBSD.ORG Sun Jun 10 14:54:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39F7F106566B; Sun, 10 Jun 2012 14:54:01 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7DF388FC0C; Sun, 10 Jun 2012 14:54:00 +0000 (UTC) Received: by laai10 with SMTP id i10so2673004laa.13 for ; Sun, 10 Jun 2012 07:53:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=a/i5kY3jZG91Tabit+/NNIYs3KZd8ohgVo1j9qWfEZU=; b=hP8eqhqkKjJQf8OUo3PI8rowDetqSaW+LXNKjwVkZ/JYsR34/tKSvGTpODjXBc32Rp gGcIXymTAytKRqJmKqKr0UOG11zLUVx25wQJO9GOSCpoV87WiOCm0uO2wfonrWkqWdeX x+NKAnADO1SZWHCWK/8zdv0eYR9uJq+1UR+98+rakpRhIvzatqyfTt1KsRgdEIz1U9N8 kaNsTmjhOTVo+Pc5a+ysTtlTOoq2nrVcbkxIcRiHD5j0x/OykWlwqfrzB4adHGOzrhs3 +w2LS87SY6iejcuvlgCD6v82fE4V5F+v4xeB+l+iAjP4s72AXmVRNVaBNhNEfPerpgnx RCww== Received: by 10.112.46.166 with SMTP id w6mr1968668lbm.100.1339340039209; Sun, 10 Jun 2012 07:53:59 -0700 (PDT) Received: from localhost ([78.157.92.5]) by mx.google.com with ESMTPS id fd1sm7146032lbb.7.2012.06.10.07.53.56 (version=SSLv3 cipher=OTHER); Sun, 10 Jun 2012 07:53:57 -0700 (PDT) Date: Sun, 10 Jun 2012 17:53:51 +0300 From: Gleb Kurtsou To: "Simon L. B. Nielsen" Message-ID: <20120610145351.GA1098@reks> References: <86r4tqotjo.fsf@ds4.des.no> <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6E26E03B-8D1D-44D3-B94E-0552BE5CA894@FreeBSD.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 14:54:01 -0000 On (10/06/2012 11:02), Simon L. B. Nielsen wrote: > > On 8 Jun 2012, at 13:51, Dag-Erling Smørgrav wrote: > > > We still have MD5 as our default password hash, even though known-hash > > attacks against MD5 are relatively easy these days. We've supported > > SHA256 and SHA512 for many years now, so how about making SHA512 the > > default instead of MD5, like on most Linux distributions? > > Has anyone looked at how long the SHA512 password hashing actually takes on modern computers? > > The "real" solution for people who care significantly about this seems something like the algorithm pjd implemented (I think he did it at least) for GELI, where the number of rounds is variable and calculated so it takes X/0.X seconds on the specific hardware used. That's of course a lot more complicated, and I'm not sure if it would work with the crypt() API. Do you mean pkcs5v2_calculate from geli? It seems to have a drawback that results produced depend on actual CPU load. % ./pkcs5v-test [*] 541491 539568 542352 540376 388285 -- start several instances of pkcs5v-test in parallel 303071 284793 281110 It would be awesome to provide user with options to configure minimal and maximal iteration count and randomly choose iteration count within the range for each new password. Such trivial change should considerably complicate mass password bruteforce cracking. Variable number of rounds for a password would also require changing crypt() interface. > Also, does anyone know if our SHA512 is compatible with the format used by Linux, other BSD's etc? It's supposed to be compatible with Linux. DragonFly invented something on their own with a nasty bug in it. They could have changed to "standard" crypt on top of sha-2 after bug was discovered. http://www.openwall.com/lists/oss-security/2012/01/16/2 Why does nobody mention scrypt? It looks very attractive in longer perspective. Thanks, Gleb. * pkcs5v-test.c: #include int main(int argc, char **argv) { int i, usec; for (i = 0; i < 10; i++) { usec = pkcs5v2_calculate(2000000, 512 / 8, 4); printf("%d\n", usec); } return (0); }