Date: Mon, 3 May 1999 15:52:05 -0400 From: Adam Shostack <adam@homeport.org> To: andrewr <andrewr@slack.net> Cc: David Mazieres <dm@reeducation-labor.lcs.mit.edu>, phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish Message-ID: <19990503155204.A28374@weathership.homeport.org> In-Reply-To: <Pine.NEB.3.96.990503152350.29864A-100000@brooklyn.slack.net>; from andrewr on Mon, May 03, 1999 at 03:25:00PM -0400 References: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> <Pine.NEB.3.96.990503152350.29864A-100000@brooklyn.slack.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 03, 1999 at 03:25:00PM -0400, andrewr wrote: | > You could easily create an implementation of bcrypt that could not be | > used as a block cipher. What exactly is magically blessed about MD5? | > MD5's compression function (or MD5 itself) functions perfectly well as | > a block cipher in OFB or CFB modes. Is there some directive from the | > US government allowing the export of MD5 in source form? | | Are you suggesting the use of MD5? Im assuming it would be bad to use MD5 | because it is much quicker for one to possibly crack users passwords.. I'm suggesting that a design that uses a cipher to do a hash function's job is sub-optimal, except in cases where such adaption can be shown to have advantages. Such advantages can include tweaking the noses of the export control authorities, taking advantage of fast or secure hardware, taking better advantage of few gates in hardware, or extensive analysis of the underlying algorithm. In the case of DES, it can be argued that the heavy analysis that crypt() has undergone can be seen as an advantage, but that advantage doesn't carry to *fish. If you want to use any other construction, you'll need to analyze time issues, including brute force timing. It seems likely that using md5 would require a bunch of iterations. You could probably use fewer iterations of SHA-1, and yet fewer with RIPEMD-160 to absorb the same amount of attacker CPU time. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990503155204.A28374>