From owner-freebsd-security  Fri May 29 19:38:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA29518
          for freebsd-security-outgoing; Fri, 29 May 1998 19:38:09 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29509
          for <freebsd-security@FreeBSD.ORG>; Fri, 29 May 1998 19:38:02 -0700 (PDT)
          (envelope-from ncb05@uow.edu.au)
Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1])
	by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id MAA03167;
	Sat, 30 May 1998 12:37:51 +1000 (EST)
Date: Sat, 30 May 1998 12:37:50 +1000 (EST)
From: Nicholas Charles Brawn <ncb05@uow.edu.au>
X-Sender: ncb05@banshee.cs.uow.edu.au
To: Jason Hudgins <thanatos@eddie.incantations.net>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: MD5 v. DES?
In-Reply-To: <Pine.BSF.3.96.980529133154.13428A-100000@eddie.incantations.net>
Message-ID: <Pine.SOL.3.96.980530122602.16928A-100000@banshee.cs.uow.edu.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 29 May 1998, Jason Hudgins wrote:

> > redirected to -security
> > 
> > > Is there a discussion somewhere about the merits of MD5 v. DES?
> > > E.g. what advantages one has over the other?
> > 
> > If I recall from past memories MD5 i believe is faster. 
> 
> Which in my opinion, is not nessecarily a good thing.

It also depends on what exactly you are discussing. MD5 is a one-way hash
algorithm, whereas DES is an encryption algorithm with several different
modes used for encryption (ecb, cbc, 3des, etc).

Also, with regards to speed, if you're concerned primarily with system
security, and don't require hundreds or more authentications per second
(ecommerce perhaps), you should probably go for something that takes a bit
longer to generate a key. This will slow down brute-force key search
attacks. An example of this would be hashing a given string "x" times
before sending it to crypt(3).

Along parallel lines, is anyone working on patching /usr/bin/passwd to be
proactive in rejecting bad passwords instead of simply "suggesting" that
the supplied string is too short/weak/lowercase/etc? It is trivial to
patch the code to do so but it'd be nice if it happened by default. :)

> Jason Hudgins
> http://www.incantations.net/~thanatos

Nick

--
Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D  A7 F8 70 03 B7 77 1A 2A	
http://rabble.uow.edu.au/~nick - public key available on request.
Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message