Re: [suse-security] Password Encryption
Hello Bastian, Tuesday, July 9, 2002, 3:50:07 PM, you wrote: BS> Hi! BS> --On Dienstag, 9. Juli 2002 15:14 +0200 Christian Röpke BS> <christian.roepke@directbox.com> wrote:
[...] p.s. : it exits a attack against md5, but i can't describe details at the moment, i ask my prof. __________________________________________________
BS> In 1996 a german researcher found a way to produce "collisions" in the BS> compression function of MD5 (in about 10 hours on a 100 MHz Pentium I), but BS> IIRC could not extend this attack to the full algorithm. Details are here: BS> <http://www.rsasecurity.com/rsalabs/faq/3-6-6.html> BS> <ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf> BS> <http://www.informatik.uni-mannheim.de/informatik/pi4/projects/Crypto/rgp/m d5/dobbertin.ps>> BS> This is a serious academic weakness of the algorithm, but surely nothing to BS> worry about in practical applications. Attackers who have the required BS> resources for this kind of attack will certainly be able to find completely BS> different ways to compromise the security of your linux box. ok, here is the answer for you peer BS> By the way: The same goes for DES. There has been no practical attack BS> against the structure of the cipher. It is simply outdated, because BS> a) it is very slow in software and BS> b) it´s keysize is far too small to protect against brute force attacks BS> with today´s computing power (I guess, that´s what you meant with "attack") BS> Still, you need a considerable amount of computation to break DES and BS> attackers might just as well find different ways to break into your system. ok, but if we knows, that there is a way to crack the shadow file, why don't we use a secure algorithm ? (triple DES or AES) Are there no implementation for this algorithms ? (a DES cracker-maschine costs about 100.000 $) BS> Hope this helps. BS> Greetings, BS> Bastian. christian __________________________________________________ Gestalte Dein eigenes Handy-Logo unter http://www.yesms.de Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag eMail, FAX, SMS, VoiceMail mit http://www.directbox.com
Yuppa, Christian Röpke wrote: [...]
ok, but if we knows, that there is a way to crack the shadow file, why don't we use a secure algorithm ? (triple DES or AES) Are there no implementation for this algorithms ? (a DES cracker-maschine costs about 100.000 $)
because it's not in the current security focus anymore. Of course there are still ppl who conduct massive brute-force/dictionary/leaking attacks against servers, but this also leaves a comparably big audit trail in the system; in most Linux (and Unix) distros/derivates, failed login attempts will logged to a file, say /var/log/messages or whatever your mileage may be. Even very dumb/uninspired admins would notice this. I don't say that they'd do something against it, but they sure would notice it... |-) The *real* problem are clear-text passwords, as used in telnet, ftp, pop3, etc. Most attackers would not go the hard and tedious way of feeding a 100 MB dictionary with even more strange words and phrases in order to find a couple of lousy passwords for some pop3 accounts, all they would have to do is to abuse one of the many obvious and not-so-obvious flaws of demons/servers, apps or protocols, get into the machine, install a sniffer, and finally harvest the passwords for an easy return to the victim system. If I got you right, you haven't implemented any deeper security on your system(s), so there we go... If an attacker would be able to get your shadow and passwd, you would have more to worry about than the question wether your password salts are DES (=crap) or 3DES (=triple crap) encrypted. Boris ---
Hi Christian, --On Mittwoch, 10. Juli 2002 11:42 +0200 Christian Röpke <christian.roepke@directbox.com> wrote:
[...] ok, but if we knows, that there is a way to crack the shadow file, why don't we use a secure algorithm ? (triple DES or AES) Are there no implementation for this algorithms ? (a DES cracker-maschine costs about 100.000 $) [...]
Ok, you are right of course. And that is the reasons why people begin to switch from DES to algorithms with higher key size (at the cost of performance in the case of 3DES). I just think it is important to point out that there still is no known attack against DES apart from brute force. In this case DES´s small keysize of 56 Bit might not even be a problem, because user passwords usually have much less entropy: <http://downloads.securityfocus.com/library/keylength.txt> Greetings, Bastian
participants (3)
-
"Christian Röpke"
-
Bastian Schmick
-
Boris Lorenz