* Christian Röpke wrote on Tue, Jul 09, 2002 at 15:14 +0200:

but many systems are not clean and then the cracker hasn't any chance to crack the shadow-file, if the passwords are encrypted by des3 or aes.

This is not true. Even if you use a secure one way hash, imagine one with a very large output, it's not impossible. "Cracking" hashes can be done basically in two ways: either find a collision that produces the same output like the real secret, or guess the real secret. When talking about passwords, usually 10 alphanumerics or so, I think it's more easy to guess it that than produce a MD5 collision... And to make it clean, passwords are not encrypted. Encryption would be bad, since you would need a key and so finally it helps nothing, and an attacker could get the cleartexts easily (togehter with the key). Instead password hashes (secure, one-way) are stored. It is not possible to gain the password from the hash, but verification is possible: if the hash of the other is the same as the stored, it's the same password (or an collision).

and these algorithms are the state of the art

Well, but both are not hash functions :) Of course you can simply build them (but some crypto experts should evaluate this :)). But to DES: DES can be brute forced due to the key size of 56 bit; but the entrophy of a good password isn't that far away in most cases. So in most cases it should be enough for passwords I guess. I mean, a four-letter password hash is guessable anyway...

p.s. : it exits a attack against md5, but i can't describe details at the moment, i ask my prof.

As far as I know attacks against a few rounds exists, but no one showed a way how to produce collisions with small ammount of computing power so far (AFAIK). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.