From owner-freebsd-security  Tue Jun 15 14:52:14 1999
Delivered-To: freebsd-security@freebsd.org
Received: from funky.monkey.org (funky.monkey.org [152.160.231.196])
	by hub.freebsd.org (Postfix) with ESMTP id 4303115456
	for <freebsd-security@FreeBSD.ORG>; Tue, 15 Jun 1999 14:52:11 -0700 (PDT)
	(envelope-from dugsong@monkey.org)
Received: by funky.monkey.org (Postfix, from userid 1001)
	id DCE0B23D87; Tue, 15 Jun 1999 17:51:46 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by funky.monkey.org (Postfix) with ESMTP
	id C70F115CC2; Tue, 15 Jun 1999 17:51:46 -0400 (EDT)
Date: Tue, 15 Jun 1999 17:51:46 -0400 (EDT)
From: Dug Song <dugsong@monkey.org>
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: DES & MD5? 
In-Reply-To: <7661.929481131@critter.freebsd.dk>
Message-ID: <Pine.BSO.4.10.9906151736550.26447-100000@funky.monkey.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 15 Jun 1999, Poul-Henning Kamp wrote:

> That said I'm sure their algorithm is at least as good, and quite 
> likely much better than the MD5 based one that I wrote, but the
> important thing is the '$1$' at the front of the password which
> will allow us to change the entire thing at moments notice...

OpenBSD's crypt has exactly the same version identifiers:

	dugsong:$2a$06$S19R7BvVkFxEkKfiYsGOk.RVtuPl5.SmnWU...
	        ^^^^
and they credited you this particular insight their paper (see
section 6.1.2, http://www.citi.umich.edu/u/provos/papers/bcrypt.ps.gz):

	MD5 crypt was written by Poul-Henning Kamp for FreeBSD...
	The output is the concatenation of the version identifier "$1$",
	the salt, a "$" separator, and the 128-bit hash output.

> I think they're missing the >real< point by a large margin, (or at least
> they did in the version I read).

what *is* the point, then, if not this?

	Instead of repeatedly throwing out functions like crypt and MD5
	crypt to start over with more expensive but incompatible ones,
	systems should allow the cost of any password manipulation
	software to scale gracefully with a tunable parameter.

having version identifiers in passwd entries solves only half the problem.

-d.

---
http://www.monkey.org/~dugsong/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message