From owner-freebsd-security@FreeBSD.ORG Tue Sep 28 09:05:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D34316A4CE for ; Tue, 28 Sep 2004 09:05:56 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A35C143D62 for ; Tue, 28 Sep 2004 09:05:55 +0000 (GMT) (envelope-from keramida@linux.gr) Received: from orion.daedalusnetworks.priv (host5.bedc.ondsl.gr [62.103.39.229])i8S95rMO001835; Tue, 28 Sep 2004 12:05:53 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) i8S95q4B001845; Tue, 28 Sep 2004 12:05:52 +0300 (EEST) (envelope-from keramida@linux.gr) Received: (from keramida@localhost)i8S95pxg001844; Tue, 28 Sep 2004 12:05:51 +0300 (EEST) (envelope-from keramida@linux.gr) Date: Tue, 28 Sep 2004 12:05:51 +0300 From: Giorgos Keramidas To: Colin Percival Message-ID: <20040928090551.GA1800@orion.daedalusnetworks.priv> References: <20011107211316.A7830@nomad.lets.net> <20040925140242.GB78219@gothmog.gr> <41575DFC.9020206@wadham.ox.ac.uk> <20040927091710.GC914@orion.daedalusnetworks.priv> <41582024.2080205@wadham.ox.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41582024.2080205@wadham.ox.ac.uk> cc: freebsd-security@freebsd.org Subject: Re: compare-by-hash (was Re: sharing /etc/passwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 09:05:56 -0000 On 2004-09-27 07:13, Colin Percival wrote: > Giorgos Keramidas wrote: > >Increasing the number of bits the hash key uses will decrease the > >possibility of a collision but never eliminate it entirely, AFAICT. > > How small does a chance of error need to be before you're willing to > ignore it? That's a good question. I'm not sure I have a definitive answer, but the possibility of a collision is indeed scary. Especially since I haven't seen a study of the real probability of a collition is, given the fact that passwords aren't (normally) random binary data but a much smaller subset of the universe being hashed. > If an appropriately strong hash is used (eg, SHA1), then the probability > of obtaining an incorrect /etc/*pwd.db with a correct hash is much > smaller than the probability of a random incorrect password being > accepted. Remember, passwords are stored by their MD5 hashes, so a > random password has a 2^(-128) chance of working. I was probably being unreasonably paranoid about 'modified' passwords that don't get detected as modified, but what you describe is also true.