[suse-security] Password Encryption
Hello @all, after my installation of suse linux 8.0 yast2 ask me, whether i encrypt my passwords with DES or MD5. i think, both of these algorithms are not secure !!! 1. DES is a encryption algorithmen, that is cracked by NSA (ca. 1990) (also by other secret services) and by the electronic frontier foundation (1999). this algorithm is NOT secret today (des-cracker : about 100.000 dollar) 2. MD5 is a hash-function, so you can't encrypt any passwords with this algorithm. question : where is the passowrd security by suse linux ??? greetings christian röpke __________________________________________________ Gestalte Dein eigenes Handy-Logo unter http://www.yesms.de Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag eMail, FAX, SMS, VoiceMail mit http://www.directbox.com
On Tue, Jul 09, 2002 at 02:21:41PM +0200, =?ISO-8859-1?Q? Christian R=F6pke ?= wrote:
1. DES is a encryption algorithmen, that is cracked by NSA (ca. 1990) (also by other secret services) and by the electronic frontier foundation (1999). this algorithm is NOT secret today (des-cracker : about 100.000 dollar)
2. MD5 is a hash-function, so you can't encrypt any passwords with this algorithm.
Both of these algorithms are in fact hash algorithms. The crypt() function is based on a variant of DES, and uses the password as a key to encrypt the salt. So what gets "encrypted" is the salt not the password. In either case, the main purpose of the algorithm is to conceal what the original password was. Being able to reverse the encryption is not an issue (in fact, it's not desirable). What happens when you log into a linux box is that you present your password, and the authentication service puts it through the hash function and compares the result to the hash stored in the shadow file. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Christian Röpke wrote:
Hello @all,
after my installation of suse linux 8.0 yast2 ask me, whether i encrypt my passwords with DES or MD5.
i think, both of these algorithms are not secure !!!
1. DES is a encryption algorithmen, that is cracked by NSA (ca. 1990) (also by other secret services) and by the electronic frontier foundation (1999). this algorithm is NOT secret today (des-cracker : about 100.000 dollar)
2. MD5 is a hash-function, so you can't encrypt any passwords with this algorithm.
question : where is the passowrd security by suse linux ???
First of all: you are assuming the hacker already has access to the hashes. If he doesn't have the /etc/shadow file, he has nothing to crack, whether the algorithm used is DES or MD5. If the hacker has access to your shadow file, you have a lot bigger problem than worrying about the security of your password algorithm. Second, while DES is indeed crackable, MD5 is pretty secure as far as password algorithms go. It's now the standard on most major linux (and some unix) distributions. You are right in assuming it doesn't encrypt the password, it just uses it's MD5 sum as key. At any rate, md5 is probably the most secure algorithm in use at the moment, a whole lot better than what e.g. Microsoft has to offer. Third, there is a myriad of other ways to secure your system. Through PAM (Pluggable authentication modules) you can attach just about any security measure from fingerprint scanners to smartcards to whatever. And fourth, no matter what means of security you use, be aware that in any authentication system the real weak points are your users. As long as people put post-its on their monitor with their username and password, it doesn't matter what means of encryption you use Stefan
participants (3)
-
"Christian Röpke" -
Olaf Kirch -
Stefan Suurmeijer