From owner-freebsd-security Fri May 29 12:57:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA24625 for freebsd-security-outgoing; Fri, 29 May 1998 12:57:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA24577 for ; Fri, 29 May 1998 12:57:08 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id NAA09649; Fri, 29 May 1998 13:04:56 -0700 Date: Fri, 29 May 1998 13:04:56 -0700 (PDT) From: Steve Reid To: Open Systems Networking cc: Cory Kempf , freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Is there a discussion somewhere about the merits of MD5 v. DES? > > E.g. what advantages one has over the other? > > If I recall from past memories MD5 i believe is faster. The MD5 password hashing scheme in FreeBSD is slower than the traditional DES hashing. Both schemes, when they were designed, were deliberately made slow to make programs like "crack" slower. DES was extended to 25 rounds instead of the usual 16, and MD5 runs hundreds(?) of iterations of the hash function. The DES scheme was designed for a time when processors were not as fast as they are now, and so "crack" is very efficient when attacking DES-based password files. The MD5-based crypt is much slower, so "crack" takes considerably longer to run. Using MD5 instead of DES will use more of your CPU cycles, but the crackers feel it _much_ more because they have to run crypt constantly until the crack run is completed, instead of just running a crypt once at login. MD5 also has the benefit of being exportable, whereas DES is subject to restrictions in many countries because it was designed for encryption. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message