Bugtraq mailing list archives
Re: passwd hashing algorithm
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Fri, 21 Apr 95 7:09:41 CDT
1. 25 iterations of DES with the first 8 bytes of the password as key, followed by 25 iterations of DES with the second 8 bytes of password as key.[ ... better version deleted ... ](1) can be broken on a workstation with ~ 2^32 steps (and very little in the way of memory);I've never seen anything resembling a convincing argument for this point.Hrmm, well, I could give you the crypto explanation...do you want me to? [Keywords: meet-in-the-middle, birthday attack] If not, I issue you a challenge. I've included a small program at the end which implements (1) using libdes: $ ./newcrypt abcdefgh 12345678 E7 B3 AF 1E D5 A8 34 10 $ ./newcrypt xxxx yyyy 5D 4F 2F 99 F4 1 69 B3 Compile it with libdes.a and make sure you get the same output for the test data above (for portability). Pick your own two password strings (at most 8 bytes long each) and send or post the output of the program. I'll find two password strings of my own which give the same output (but they're *not* necessarily the same as your two strings: they just produce the same hash!).
Now that I've had time to read what you've written here, you've attacked something completely different from what you appear to have described earlier. Shadow's long password scheme appends the output of each round of crypt() to the output for the previous rounds. Your function uses 0 as the initial key (same as UNIX crypt), but the output of the previous round as the initial key for the second round (not the same) and produces a single 8 byte result. That I will gladly concede is useless.
Sorry to the rest of you bugtraq folks: I would be taking this to personal email, except for the fact that someone actually uses the broken scheme -- yikes! -- that's my ObBug.
So far the planet is safe -- no one does this that I know of ... -- John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh () rpp386 cactus org
Current thread:
- Re: virus, (continued)
- Re: virus eli (Apr 23)
- The list Jon Green (Apr 23)
- Re: passwd hashing algorithm John F. Haugh II (Apr 20)
- Re: passwd hashing algorithm Charlie Watt (Apr 21)
- Re: passwd hashing algorithm John F. Haugh II (Apr 21)
- Re: passwd hashing algorithm Timothy Newsham (Apr 21)
- Re: passwd hashing algorithm John F. Haugh II (Apr 23)
- RE: virus Erich W. Gunther (Apr 23)
- Re: passwd hashing algorithm David Miller (Apr 19)
- Re: passwd hashing algorithm David A. Wagner (Apr 19)
- Re: passwd hashing algorithm John F. Haugh II (Apr 21)
- AntiFlash talkd Richard Allen (Apr 19)
- Re: AntiFlash talkd James M. Golovich (Apr 19)
- Password Storage as Environment Variable Bill Bradley (Apr 19)
- Re: passwd hashing algorithm John F. Haugh II (Apr 23)
- Re: passwd hashing algorithm Marek Michalkiewicz (Apr 24)