From owner-freebsd-doc  Mon Sep  3 17:34:37 2001
Delivered-To: freebsd-doc@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP
	id 33EF237B401; Mon,  3 Sep 2001 17:34:34 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id B6D1966D0A; Mon,  3 Sep 2001 17:34:33 -0700 (PDT)
Date: Mon, 3 Sep 2001 17:34:33 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: murray@FreeBSD.org
Cc: efrias@sg505.net, freebsd-doc@FreeBSD.org,
	security-officer@FreeBSD.org
Subject: Re: docs/14158: md5(1) manpage should not claim the md5 algorithm to be secure
Message-ID: <20010903173433.E38717@xor.obsecurity.org>
References: <200109040017.f840HSe19930@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="o0ZfoUVt4BxPQnbU"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200109040017.f840HSe19930@freefall.freebsd.org>; from murray@FreeBSD.org on Mon, Sep 03, 2001 at 05:17:28PM -0700
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org


--o0ZfoUVt4BxPQnbU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 03, 2001 at 05:17:28PM -0700, murray@FreeBSD.org wrote:
> Synopsis: md5(1) manpage should not claim the md5 algorithm to be secure
>=20
> State-Changed-From-To: open->analyzed
> State-Changed-By: murray
> State-Changed-When: Mon Sep 3 17:16:01 PDT 2001
> State-Changed-Why:=20
> How about this patch?  It is essentially taken from md5(3).  I think
> that we should mention the potential weakness in the user level
> command, not just in the library.

Looks fine as far as it goes, but we should note somewhere that
FreeBSD's MD5 algorithm is expected to be better protected against
this by virtue of the fact that it does something like 1000 iterations
of md5.  The algorithm would probably need to be comprehensively
broken to affect the security of FreeBSD password hashes.

Kris

--o0ZfoUVt4BxPQnbU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7lCGZWry0BWjoQKURAssFAKDhKgeZ3shjWcqD/E0SQdKhe7UZoQCfbi2K
ZnCsg3ntfVG333To9L//vQ8=
=caMH
-----END PGP SIGNATURE-----

--o0ZfoUVt4BxPQnbU--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message