Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
Re: [suse-security] Password Encryption
- From: "Christian Röpke" <christian.roepke@xxxxxxxxxxxxx>
- Date: Wed, 10 Jul 2002 11:42:47 +0200
- Message-id: <20020710094334.9883C14822@xxxxxxxxxxxxxx>
Hello Bastian,
Tuesday, July 9, 2002, 3:50:07 PM, you wrote:
BS> Hi!
BS> --On Dienstag, 9. Juli 2002 15:14 +0200 Christian Röpke
BS> <christian.roepke@xxxxxxxxxxxxx> wrote:
>> [...]
>> p.s. : it exits a attack against md5, but i can't describe details at the
>> moment, i ask my prof. __________________________________________________
BS> In 1996 a german researcher found a way to produce "collisions" in the
BS> compression function of MD5 (in about 10 hours on a 100 MHz Pentium I), but
BS> IIRC could not extend this attack to the full algorithm. Details are here:
BS> <http://www.rsasecurity.com/rsalabs/faq/3-6-6.html>
BS> <ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf>
BS> <http://www.informatik.uni-mannheim.de/informatik/pi4/projects/Crypto/rgp/m
d5/dobbertin.ps>>
BS> This is a serious academic weakness of the algorithm, but surely nothing to
BS> worry about in practical applications. Attackers who have the required
BS> resources for this kind of attack will certainly be able to find completely
BS> different ways to compromise the security of your linux box.
ok, here is the answer for you peer
BS> By the way: The same goes for DES. There has been no practical attack
BS> against the structure of the cipher. It is simply outdated, because
BS> a) it is very slow in software and
BS> b) it´s keysize is far too small to protect against brute force attacks
BS> with today´s computing power (I guess, that´s what you meant with "attack")
BS> Still, you need a considerable amount of computation to break DES and
BS> attackers might just as well find different ways to break into your system.
ok, but if we knows, that there is a way to crack the shadow file, why
don't we use a secure algorithm ? (triple DES or AES) Are there no
implementation for this algorithms ?
(a DES cracker-maschine costs about 100.000 $)
BS> Hope this helps.
BS> Greetings,
BS> Bastian.
christian
__________________________________________________
Gestalte Dein eigenes Handy-Logo unter http://www.yesms.de
Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag
eMail, FAX, SMS, VoiceMail mit http://www.directbox.com
Tuesday, July 9, 2002, 3:50:07 PM, you wrote:
BS> Hi!
BS> --On Dienstag, 9. Juli 2002 15:14 +0200 Christian Röpke
BS> <christian.roepke@xxxxxxxxxxxxx> wrote:
>> [...]
>> p.s. : it exits a attack against md5, but i can't describe details at the
>> moment, i ask my prof. __________________________________________________
BS> In 1996 a german researcher found a way to produce "collisions" in the
BS> compression function of MD5 (in about 10 hours on a 100 MHz Pentium I), but
BS> IIRC could not extend this attack to the full algorithm. Details are here:
BS> <http://www.rsasecurity.com/rsalabs/faq/3-6-6.html>
BS> <ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf>
BS> <http://www.informatik.uni-mannheim.de/informatik/pi4/projects/Crypto/rgp/m
d5/dobbertin.ps>>
BS> This is a serious academic weakness of the algorithm, but surely nothing to
BS> worry about in practical applications. Attackers who have the required
BS> resources for this kind of attack will certainly be able to find completely
BS> different ways to compromise the security of your linux box.
ok, here is the answer for you peer
BS> By the way: The same goes for DES. There has been no practical attack
BS> against the structure of the cipher. It is simply outdated, because
BS> a) it is very slow in software and
BS> b) it´s keysize is far too small to protect against brute force attacks
BS> with today´s computing power (I guess, that´s what you meant with "attack")
BS> Still, you need a considerable amount of computation to break DES and
BS> attackers might just as well find different ways to break into your system.
ok, but if we knows, that there is a way to crack the shadow file, why
don't we use a secure algorithm ? (triple DES or AES) Are there no
implementation for this algorithms ?
(a DES cracker-maschine costs about 100.000 $)
BS> Hope this helps.
BS> Greetings,
BS> Bastian.
christian
__________________________________________________
Gestalte Dein eigenes Handy-Logo unter http://www.yesms.de
Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag
eMail, FAX, SMS, VoiceMail mit http://www.directbox.com
| < Previous | Next > |