Security Basics mailing list archives
Re: CISCO MD5 encryption
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 23 Feb 2011 16:51:24 -0500
On Tue, Feb 22, 2011 at 6:59 PM, Saif El Sherei <SSherei () npcegypt com> wrote:
I forgot to mention it's salted hashed that's used by Linux distros, open-ssl and a lot of popular web applications.
As previously stated - folks are engineering collisions on it. MD5 is broken, regardless of who is using it. I'm not even sure it can be used as a PRF, But that's not stopping FreeBSD (they also use ARC4, which is biased). Linux distros: I believe they are using Blowfish by default for the password file. For those who have down graded, I hope you (or myself) don't have an account on the system open-ssl: OpenSSL supports the algorithm. However, if you generate a new certificate, then SHA1 is used. The problems with OpenSSL defaults are (1) RSA moduli of 512 by default, and (2) SHA1 by default. 112 bits of security is now recommended. That means moduli of 2048 and SHA-224. Popular web applications: they may be popular, but they are not secure. For example, I recently looked at vBulletin and PhpBB. vBulletin uses MD5, and (I believe) PhpBB uses it under certain circumstances (if it uses hashing at all). Neither can pass an audit. Jeff [SNIP] ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: CISCO MD5 encryption, (continued)
- Re: CISCO MD5 encryption Saif El Sherei (Feb 23)
- Re: CISCO MD5 encryption Jeffrey Walton (Feb 24)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption Mike Hale (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption Mike Hale (Feb 22)
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Message not available
- Re: CISCO MD5 encryption Prabath Siriwardana (Feb 22)
- Re: CISCO MD5 encryption Saif El Sherei (Feb 23)
- Re: CISCO MD5 encryption Saif El Sherei (Feb 23)
- Re: CISCO MD5 encryption Jeffrey Walton (Feb 24)
- Re: CISCO MD5 encryption Paul Johnston (Feb 24)
- RE: CISCO MD5 encryption David Gillett (Feb 24)
- Re: CISCO MD5 encryption Paul Johnston (Feb 25)
- RE: CISCO MD5 encryption David Gillett (Feb 28)
- Re: CISCO MD5 encryption Security Manager (Feb 24)
- Re: CISCO MD5 encryption César García (Feb 24)