From owner-freebsd-security Mon May 3 12:39: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id A110615362 for ; Mon, 3 May 1999 12:38:56 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id PAA28496; Mon, 3 May 1999 15:52:05 -0400 (EDT) Date: Mon, 3 May 1999 15:52:05 -0400 From: Adam Shostack To: andrewr Cc: David Mazieres , phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish Message-ID: <19990503155204.A28374@weathership.homeport.org> References: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from andrewr on Mon, May 03, 1999 at 03:25:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 03:25:00PM -0400, andrewr wrote: | > You could easily create an implementation of bcrypt that could not be | > used as a block cipher. What exactly is magically blessed about MD5? | > MD5's compression function (or MD5 itself) functions perfectly well as | > a block cipher in OFB or CFB modes. Is there some directive from the | > US government allowing the export of MD5 in source form? | | Are you suggesting the use of MD5? Im assuming it would be bad to use MD5 | because it is much quicker for one to possibly crack users passwords.. I'm suggesting that a design that uses a cipher to do a hash function's job is sub-optimal, except in cases where such adaption can be shown to have advantages. Such advantages can include tweaking the noses of the export control authorities, taking advantage of fast or secure hardware, taking better advantage of few gates in hardware, or extensive analysis of the underlying algorithm. In the case of DES, it can be argued that the heavy analysis that crypt() has undergone can be seen as an advantage, but that advantage doesn't carry to *fish. If you want to use any other construction, you'll need to analyze time issues, including brute force timing. It seems likely that using md5 would require a bunch of iterations. You could probably use fewer iterations of SHA-1, and yet fewer with RIPEMD-160 to absorb the same amount of attacker CPU time. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message