From owner-freebsd-security Mon May 3 7: 6:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id 8DB2B15136 for ; Mon, 3 May 1999 07:06:02 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id KAA25736; Mon, 3 May 1999 10:22:20 -0400 (EDT) Date: Mon, 3 May 1999 10:22:20 -0400 From: Adam Shostack To: Peter Jeremy Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990503102220.A25694@weathership.homeport.org> References: <99May3.114810est.40331@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <99May3.114810est.40331@border.alcanet.com.au>; from Peter Jeremy on Mon, May 03, 1999 at 12:02:44PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 12:02:44PM +1000, Peter Jeremy wrote: | Adam Shostack wrote: | >The reason to not use it for passwords is that the function you want | >(if you're going to not change the model), is a hash function, not a | >block cipher. | | You'd better let Bob Morris know this :-). | | Why can't a block cipher (like, say DES) be used for a password | hashing function? (I realise that the DES used for Unix password | hashing is `tweaked', but that was done solely to prevent people using | off-the-shelf DES hardware to crack passwords - the salt can be | injected in several other ways). It can, but when you want irreversability, its useful to use a function designed with that in mind. The fact that you can use block ciphers as hashes, and hashes as block ciphers, does not mean that its a good idea to go around doing so. It means that the theoreticians in the field are working out how they interact. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message