From owner-freebsd-security@FreeBSD.ORG Tue Sep 28 16:14:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0C0D16A4CE; Tue, 28 Sep 2004 16:14:02 +0000 (GMT) Received: from VARK.MIT.EDU (VARK.MIT.EDU [18.95.3.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45AD443D4C; Tue, 28 Sep 2004 16:14:02 +0000 (GMT) (envelope-from das@FreeBSD.ORG) Received: from VARK.MIT.EDU (localhost [127.0.0.1]) by VARK.MIT.EDU (8.13.1/8.12.10) with ESMTP id i8SGDx6G022460; Tue, 28 Sep 2004 12:13:59 -0400 (EDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by VARK.MIT.EDU (8.13.1/8.12.10/Submit) id i8SGDxpc022459; Tue, 28 Sep 2004 12:13:59 -0400 (EDT) (envelope-from das@FreeBSD.ORG) Date: Tue, 28 Sep 2004 12:13:59 -0400 From: David Schultz To: Colin Percival Message-ID: <20040928161359.GA22274@VARK.MIT.EDU> Mail-Followup-To: Colin Percival , Giorgos Keramidas , freebsd-security@freebsd.org References: <20011107211316.A7830@nomad.lets.net> <20040925140242.GB78219@gothmog.gr> <41575DFC.9020206@wadham.ox.ac.uk> <20040927091710.GC914@orion.daedalusnetworks.priv> <41582024.2080205@wadham.ox.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41582024.2080205@wadham.ox.ac.uk> cc: freebsd-security@FreeBSD.ORG cc: Giorgos Keramidas Subject: Re: compare-by-hash (was Re: sharing /etc/passwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 16:14:02 -0000 On Mon, Sep 27, 2004, Colin Percival wrote: > If an appropriately strong hash is used (eg, SHA1), then the probability > of obtaining an incorrect /etc/*pwd.db with a correct hash is much > smaller than the probability of a random incorrect password being > accepted. Remember, passwords are stored by their MD5 hashes, so a > random password has a 2^(-128) chance of working. > > If, on the other hand, you're concerned about accidentally locking > yourself out of the server as a result of an undetected mangling of the > password database... you should be more worried about the server, and > all your backups, being simultaneously hit by lightning. :-) One thing to keep in mind is that the collision-resistance of SHA-1 is an unproven conjecture. Back in the dark ages of cryptography, Rivest conjectured that MD4 and MD5 were also collision-resistant, and this turned out not to be true. In fact, recent results have raised some concerns about SHA-1 (http://eprint.iacr.org/2004/146/). There's some speculation that SHA-1 is broken in the sense that you are likely to find a collision after computing far fewer than 2^80 hashes; however, people still seem to consider it good enough for SSL/TLS and numerous other protocols. If they're wrong, of course, I think people will be much more concerned about digital signatures than rsync.