From owner-freebsd-security Fri Feb 14 23:00:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA05239 for security-outgoing; Fri, 14 Feb 1997 23:00:13 -0800 (PST) Received: from bofh.cybercity.dk (bofh.cybercity.dk [195.8.128.254]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA05221 for ; Fri, 14 Feb 1997 23:00:08 -0800 (PST) Received: from critter.dk.tfs.com (phk.cybercity.dk [195.8.133.247]) by bofh.cybercity.dk (8.8.3/8.7.3) with ESMTP id IAA25575; Sat, 15 Feb 1997 08:02:45 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id IAA11821; Sat, 15 Feb 1997 08:01:56 +0100 (MET) To: Aleph One cc: Mats Lofkvist , freebsd-security@FreeBSD.org Subject: Re: blowfish passwords in FreeBSD In-reply-to: Your message of "Fri, 14 Feb 1997 18:05:28 CST." Date: Sat, 15 Feb 1997 08:01:55 +0100 Message-ID: <11819.855990115@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In message , Aleph One wr ites: >On Fri, 14 Feb 1997, Mats Lofkvist wrote: > >> Why did they feel the need for something better than md5? >> Is there any known weaknesses in md5? 128 bits is enough to make md5 >> extremely secure until someone finds a serious flaw in the algorithm, >> brute force attacks will probably never be a problem. > >Well pseudo-collision have been found in MD5. It has also been estimated >that for 10 million 1994 dollars you could build a collision search >machine that could find a collision in 24 days on average. Of curse this >doesnt mean much to anyone using MD5 for their passwords. For 10 million >the'll just brake into you place and take the machine. People are starting >to belive MD5 is not as secure anymore, and looking at other alternatives. >Even Rivest has said so. Correct, but on the scale of things we are using it for here: hashing of passwords, this is largely irrelevant. We only use MD5 because it is a complex operation that scambles bits well and it is hard to parallelize (See the complaint in RFC-1810). In other places where you protect things much more valuable with just a single iteration of MD5, I would say that the published weaknesses are to be taken serious. The important thing is if it is possible and feasible for a d00de with a fast PC or even hundred to brute force a password. (Remember that it is usually easier to guess peoples password anyway, since people generally choose lousy passwords. The only thing a strong hash protects is good passwords.) For this purpose our current MD5 based algorithm is fine and it can be exported without trouble. I have heard and seen very good passwords that was DES-scrambled be found by brute-force, I have yet to hear the first report about that happening with MD5. But I'm all for having more algorithms, simply because that adds another bit to the to work for the crackers if they would want to precompute dictionaries. I'm all against Theo calling MD5 unsecure, and I know he does it merely to spread Fear, Doubt and Uncertainty and because it gives such a nice hollow sound when be bangs his chest like he does. I bet he hasn't even run any significant analysis to see if he by accident have introduced lost the decorrelation of the output of blowfish... I did that with MD5, the strongest correlation between any one bit from input to output over a 10000000 sample was 0.00029 and the strongets two bit correlation was 0.00031, what is Theo's numbers ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.