From owner-freebsd-security  Mon May  3 12:39: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99])
	by hub.freebsd.org (Postfix) with ESMTP id A110615362
	for <freebsd-security@FreeBSD.ORG>; Mon,  3 May 1999 12:38:56 -0700 (PDT)
	(envelope-from adam@weathership.homeport.org)
Received: (from adam@localhost)
	by weathership.homeport.org (8.8.8/8.8.5) id PAA28496;
	Mon, 3 May 1999 15:52:05 -0400 (EDT)
Date: Mon, 3 May 1999 15:52:05 -0400
From: Adam Shostack <adam@homeport.org>
To: andrewr <andrewr@slack.net>
Cc: David Mazieres <dm@reeducation-labor.lcs.mit.edu>,
	phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au,
	freebsd-security@FreeBSD.ORG, provos@openbsd.org
Subject: Re: Blowfish/Twofish
Message-ID: <19990503155204.A28374@weathership.homeport.org>
References: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> <Pine.NEB.3.96.990503152350.29864A-100000@brooklyn.slack.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.3i
In-Reply-To: <Pine.NEB.3.96.990503152350.29864A-100000@brooklyn.slack.net>; from andrewr on Mon, May 03, 1999 at 03:25:00PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, May 03, 1999 at 03:25:00PM -0400, andrewr wrote:
| > You could easily create an implementation of bcrypt that could not be
| > used as a block cipher.  What exactly is magically blessed about MD5?
| > MD5's compression function (or MD5 itself) functions perfectly well as
| > a block cipher in OFB or CFB modes.  Is there some directive from the
| > US government allowing the export of MD5 in source form?
| 
| Are you suggesting the use of MD5?  Im assuming it would be bad to use MD5
| because it is much quicker for one to possibly crack users passwords.. 

	I'm suggesting that a design that uses a cipher to do a hash
function's job is sub-optimal, except in cases where such adaption can
be shown to have advantages.  Such advantages can include tweaking the
noses of the export control authorities, taking advantage of fast or
secure hardware, taking better advantage of few gates in hardware, or
extensive analysis of the underlying algorithm.

	In the case of DES, it can be argued that the heavy analysis
that crypt() has undergone can be seen as an advantage, but that
advantage doesn't carry to *fish.

	If you want to use any other construction, you'll need to
analyze time issues, including brute force timing.  It seems likely
that using md5 would require a bunch of iterations.  You could
probably use fewer iterations of SHA-1, and yet fewer with RIPEMD-160
to absorb the same amount of attacker CPU time.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message