Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Strength of Triple-DES
From: patrick () oes amdahl com (Patrick Horgan)
Date: Fri, 14 Apr 1995 22:17:22 +0800

I realize that the primary method of crack is guessing weak passwords,
but it also attempts to decrypt.  And given the weakness of

Are you sure that crack does that?  I haven't looked at any new versions
for awhile, but there was no cracking software in it before.  The time
it would take even for the watered down DES variant used for UNIX passwords
is beyond the available resources of most sites.

single-DES, it isn't that hard.  So anything that improves
cryptographic strength is good.  Also, it reduces the harm caused by
weak passwords, and adds value to strong passwords.  

It doesn't if the scheme is built into the system, and it would have to
be since there's so much on systems that want to verify your password.
Then you're back to the same problem as before.  If they can get a copy
of your encrypted password they can do a dictionary attack.  Triple DES
would slow them down, but that's about it.

Of course cracking passwords is a possible attack only if you're incredibly
stupid in how you administer your site.  The real problem these days is
that the passwords go through many sites in the clear.

I also realize that the ideal solution would be to eliminate fixed
passwords and replace them with some sort of double-blind,
smart-client scheme.  But it won't work, not as long as we're
dependent on existing clients like telnet and ftp working.  I'd say

There's already a lot of telnet clients and servers now that are 
negotiating secure authentication, and there'll be more all the time.
The day will come soon that people will tell their telnetd not to talk
to any clients that can't do secure authentication.

That solution's here today, written in the RFCs and available freely
on the net.

  /  These opinions are mine, and not Amdahl's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Amdahl Corporation          \\    Have       |
 |  patrick () amdahl com        1250 East Arques Avenue      \\  _ Sword     | 
 |  Phone : (408)992-2779     P.O. Box 3470 M/S 316         \\/    Will    | 
 |  FAX   : (408)773-0833     Sunnyvale, CA 94088-3470     _/\\     Travel | 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]