RE: [suse-security] Password Encryption
Yes, this is called a collision. With the crypt algorithm, which produces 56 bit results, every 72,057,594,037,927,936th (==2^56) password gets the same hash value. With other words, if you
I think you're forgetting about the birthday paradox. See http://www.rsasecurity.com/rsalabs/faq/2-4-6.html for some information on attacks against hash functions. [salt]
typical MD5 "crypts" use much larger ranges). The value is taken by random. So every password has 4096 possible results. To be able to decrypt, the salt itself is stored in plain as the first two bytes of the password "hash". So for a million words you would need 4 billion precalculated hashes.
However, since the salt is stored in plaintext in the shadow file, if you get that, the advantage of salt disappears. Note also, that the number of bits a hash function transforms the input to can't be equated directly to its 'security'. Rather, the amount of its resistance to collisions is an (at least) equally decisive factor. Tobias
On Thu, 11 Jul 2002, Reckhard, Tobias wrote:
Yes, this is called a collision. With the crypt algorithm, which produces 56 bit results, every 72,057,594,037,927,936th (==2^56) password gets the same hash value. With other words, if you
I think you're forgetting about the birthday paradox. See http://www.rsasecurity.com/rsalabs/faq/2-4-6.html for some information on attacks against hash functions.
[salt]
typical MD5 "crypts" use much larger ranges). The value is taken by random. So every password has 4096 possible results. To be able to decrypt, the salt itself is stored in plain as the first two bytes of the password "hash". So for a million words you would need 4 billion precalculated hashes.
However, since the salt is stored in plaintext in the shadow file, if you get that, the advantage of salt disappears.
That is, if you only want to decrypt one password and happen to have the right translation table for this salt at hand. Therefore you would need [number of salt flavours]*[number of words] dictionary entries to be able to crack a password with an arbitrary salt on the fly. I can't see something disappearing here... Talking about all these hash lengthes and numbers of words you should always keep in mind that hardly anyone generates their 8 character passwords with a perfect random number generator, and even this would buy you only about 80^8=2^(50.6) possible passwords. The quality of the hash can become quite irrelevant if you consider that most people's passwords only contain [a-z0-9], which makes about 41.4 bits in the optimistic case of 8 characters. You should convince yourself that this keyspace is easily exhaustable within a reasonable period of time on current consumer hardware. That said, the whole discussion becomes quite irrelevant... Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+
That said then from all what has been stated from thread is... The linux login password mechanism is secure enough, by adding a shadowed md5 file & using the crypt lib ... Enough to deter a determined person from trying to access the system at this point. A determined person, would really try easier methods to try and circumvent the system security, to gain elevated rights to cause problems? Dre +--------------------+ | Luck is my game ;-)| | Linux is my aim :) | +--------------------+ -----Original Message----- From: Roland Kuhn [mailto:rkuhn@e18.physik.tu-muenchen.de] Sent: Thursday, July 11, 2002 1:01 PM To: Reckhard, Tobias Cc: suse-security@suse.com Subject: RE: [suse-security] Password Encryption On Thu, 11 Jul 2002, Reckhard, Tobias wrote:
Yes, this is called a collision. With the crypt algorithm, which produces 56 bit results, every 72,057,594,037,927,936th (==2^56) password gets the same hash value. With other words, if you
I think you're forgetting about the birthday paradox. See http://www.rsasecurity.com/rsalabs/faq/2-4-6.html for some information on attacks against hash functions.
[salt]
typical MD5 "crypts" use much larger ranges). The value is taken by random. So every password has 4096 possible results. To be able to decrypt, the salt itself is stored in plain as the first two bytes of the password "hash". So for a million words you would need 4 billion precalculated hashes.
However, since the salt is stored in plaintext in the shadow file, if you get that, the advantage of salt disappears.
That is, if you only want to decrypt one password and happen to have the right translation table for this salt at hand. Therefore you would need [number of salt flavours]*[number of words] dictionary entries to be able to crack a password with an arbitrary salt on the fly. I can't see something disappearing here... Talking about all these hash lengthes and numbers of words you should always keep in mind that hardly anyone generates their 8 character passwords with a perfect random number generator, and even this would buy you only about 80^8=2^(50.6) possible passwords. The quality of the hash can become quite irrelevant if you consider that most people's passwords only contain [a-z0-9], which makes about 41.4 bits in the optimistic case of 8 characters. You should convince yourself that this keyspace is easily exhaustable within a reasonable period of time on current consumer hardware. That said, the whole discussion becomes quite irrelevant... Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Reckhard, Tobias wrote on Thu, Jul 11, 2002 at 11:00 +0200:
Yes, this is called a collision. With the crypt algorithm, which produces 56 bit results, every 72,057,594,037,927,936th (==2^56) password gets the same hash value. With other words, if you
I think you're forgetting about the birthday paradox. See http://www.rsasecurity.com/rsalabs/faq/2-4-6.html for some information on attacks against hash functions.
No, I don't. you cannot apply the birthday fact (I don't think it's paradox) here, since the value you need to get in a collision is given (since this is the value stored in shadow). It doesn't help to get any collision, here you need the right one.
[salt]
typical MD5 "crypts" use much larger ranges). The value is taken by random. So every password has 4096 possible results. To be able to decrypt, the salt itself is stored in plain as the first two bytes of the password "hash". So for a million words you would need 4 billion precalculated hashes.
However, since the salt is stored in plaintext in the shadow file, if you get that, the advantage of salt disappears.
That is incorrect. Of course you cannot precalculate exactly the salts that you will find later (at least this is not possible if we assume time as going forward only :)). (I think this thread is getting boring.) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
arawak
-
Reckhard, Tobias
-
Roland Kuhn
-
Steffen Dettmer