Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Feb 1997 08:01:55 +0100
From:      Poul-Henning Kamp <phk@critter.dk.tfs.com>
To:        Aleph One <aleph1@dfw.net>
Cc:        Mats Lofkvist <mal@bengt.algonet.se>, freebsd-security@FreeBSD.org
Subject:   Re: blowfish passwords in FreeBSD 
Message-ID:  <11819.855990115@critter.dk.tfs.com>
In-Reply-To: Your message of "Fri, 14 Feb 1997 18:05:28 CST." <Pine.SUN.3.94.970214180127.22842A-100000@dfw.dfw.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.SUN.3.94.970214180127.22842A-100000@dfw.dfw.net>, Aleph One wr
ites:
>On Fri, 14 Feb 1997, Mats Lofkvist wrote:
>
>> Why did they feel the need for something better than md5?
>> Is there any known weaknesses in md5? 128 bits is enough to make md5
>> extremely secure until someone finds a serious flaw in the algorithm,
>> brute force attacks will probably never be a problem.
>
>Well pseudo-collision have been found in MD5. It has also been estimated
>that for 10 million 1994 dollars you could build a collision search
>machine that could find a collision in 24 days on average. Of curse this
>doesnt mean much to anyone using MD5 for their passwords. For 10 million
>the'll just brake into you place and take the machine. People are starting
>to belive MD5 is not as secure anymore, and looking at other alternatives.
>Even Rivest has said so.

Correct, but on the scale of things we are using it for here: hashing
of passwords, this is largely irrelevant.

We only use MD5 because it is a complex operation that scambles bits
well and it is hard to parallelize (See the complaint in RFC-1810).

In other places where you protect things much more valuable with just
a single iteration of MD5, I would say that the published weaknesses
are to be taken serious.

The important thing is if it is possible and feasible for a d00de with
a fast PC or even hundred to brute force a password.

(Remember that it is usually easier to guess peoples password anyway,
since people generally choose lousy passwords.  The only thing a 
strong hash protects is good passwords.)

For this purpose our current MD5 based algorithm is fine and it can
be exported without trouble.

I have heard and seen very good passwords that was DES-scrambled be
found by brute-force, I have yet to hear the first report about that
happening with MD5.

But I'm all for having more algorithms, simply because that adds 
another bit to the to work for the crackers if they would want to 
precompute dictionaries.

I'm all against Theo calling MD5 unsecure, and I know he does it
merely to spread Fear, Doubt and Uncertainty and because it gives
such a nice hollow sound when be bangs his chest like he does.

I bet he hasn't even run any significant analysis to see if he by
accident have introduced lost the decorrelation of the output of
blowfish...  I did that with MD5, the strongest correlation between
any one bit from input to output over a 10000000 sample was 0.00029 
and the strongets two bit correlation was 0.00031, what is Theo's
numbers ?

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11819.855990115>