Bugtraq mailing list archives
Re: passwd hashing algorithm
From: adam () bwh harvard edu (Adam Shostack)
Date: Fri, 14 Apr 1995 13:06:33 -0400 (EDT)
Rick wrote:
| From: Adam Shostack <adam () bwh harvard edu>
| Date: Thu, 13 Apr 1995 13:23:03 -0400 (EDT)
|
| Doing to 3des means you (roughly) triple the attack time, which
| means that in about 2 years, we'll be back where we are today.
| This does not fit with my understanding of 3DES. I thought that 3DES
| effectively tripled the key size, i. e. you have to derive three DES
3des doubles the effective keysize (not triples because of the
birthday problem--see Schneier for details.) I was assuming the 3
keys would be the same, since theres no place to store an extra key in
the passwd file, and the original poster seemed to want to maintain
that format.
But, if you have reusable passwords (of any quality) over the
net, you need to be encrypting the session. If you've got a smart
client to do the session encryption, you might as well use a
challenge/response system while you're at it.
I'm assuming here that roving people will not always carry
their own key, and thus, there is an option to only use the server's
public key in negotiations for confidentiality, and use some c/r
mechanism for authentication.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Current thread:
- Re: UUCP/sendmail configs.. der Mouse (Apr 10)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)
- Sendmail 5.65? David Cohen (Apr 11)
- Re: UUCP/sendmail configs.. Mark (Apr 12)
- passwd hashing algorithm Dave Stagner (Apr 13)
- Re: passwd hashing algorithm Adam Shostack (Apr 13)
- Re: passwd hashing algorithm Casper Dik (Apr 14)
- Re: passwd hashing algorithm Rick Busdiecker (Apr 14)
- Re: passwd hashing algorithm Adam Shostack (Apr 14)
- Re: passwd hashing algorithm Perry E. Metzger (Apr 14)
- I wanna get a mailing list... Kim Whi-kang (Apr 15)
- Re: passwd hashing algorithm Robert M. Haas (Apr 15)
- Re: UUCP/sendmail configs.. Dave Williss (Apr 11)