From owner-freebsd-security@FreeBSD.ORG Thu Jan 28 20:10:53 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85CE1106566B for ; Thu, 28 Jan 2010 20:10:53 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6969E8FC14 for ; Thu, 28 Jan 2010 20:10:53 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id B0E2331E2D5D; Thu, 28 Jan 2010 12:11:00 -0800 (PST) Date: Thu, 28 Jan 2010 12:11:00 -0800 From: Chris Palmer To: d@delphij.net, freebsd-security@freebsd.org Message-ID: <20100128201100.GO892@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <4B61EBDE.1040604@delphij.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B61EBDE.1040604@delphij.net> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 20:10:53 -0000 Xin LI writes: > The slowness was useful at the time when the code was written, but I don't > think it would buy us as much nowadays, expect the slowness be halved from > time to time, not to mention the use of distributed techniques to > accelerate the build of dictionaries. The goal is to make the attacker *have* to use distributed techniques and to buy more gear, rather than simply be able to brute them all in a few minutes on a single cheap PC. MD5_SLOW is the factor by which you increase the attacker's cost; it is easy for the defender to go very high here because checking any one password is still fast. Distributed attacks existed when PHK wrote the code originally, too -- I don't think anything has fundamentally changed since then. Attackers use arrays of GPUs now? Ok, increase MD5_SLOW some more. > Second, recent research has shown MD5 to be vulnerable to collision > attacks [1] by the end of 2008. I'm not sure that attack against MD5 is relevant here, because we're not using it in a way where collisions hurt. (Someone correct me if I'm wrong.) In fact, moving to a modern hash would weaken the defense, because e.g. Skein is brilliantly fast -- the opposite of our goal. See also: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html """The major advantage of adaptive hashing is that you get to tune it. As computers get faster, the same block of code continues to produce passwords that are hard to crack."""