mailing list archives
Re: passwd hashing algorithm
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Fri, 21 Apr 95 7:09:41 CDT
1. 25 iterations of DES with the first 8 bytes of the
password as key, followed by 25 iterations of DES
with the second 8 bytes of password as key.
[ ... better version deleted ... ]
(1) can be broken on a workstation with ~ 2^32 steps (and
very little in the way of memory);
I've never seen anything resembling a convincing argument for this point.
Hrmm, well, I could give you the crypto explanation...do you
want me to? [Keywords: meet-in-the-middle, birthday attack]
If not, I issue you a challenge. I've included a small
program at the end which implements (1) using libdes:
$ ./newcrypt abcdefgh 12345678
E7 B3 AF 1E D5 A8 34 10
$ ./newcrypt xxxx yyyy
5D 4F 2F 99 F4 1 69 B3
Compile it with libdes.a and make sure you get the same
output for the test data above (for portability). Pick
your own two password strings (at most 8 bytes long each)
and send or post the output of the program.
I'll find two password strings of my own which give the
same output (but they're *not* necessarily the same as your
two strings: they just produce the same hash!).
Now that I've had time to read what you've written here, you've attacked
something completely different from what you appear to have described
earlier. Shadow's long password scheme appends the output of each round
of crypt() to the output for the previous rounds. Your function uses
0 as the initial key (same as UNIX crypt), but the output of the previous
round as the initial key for the second round (not the same) and produces
a single 8 byte result. That I will gladly concede is useless.
Sorry to the rest of you bugtraq folks: I would be taking
this to personal email, except for the fact that someone
actually uses the broken scheme -- yikes! -- that's my ObBug.
So far the planet is safe -- no one does this that I know of ...
John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh () rpp386 cactus org
Re: passwd hashing algorithm John Adams (Apr 17)
Re: passwd hashing algorithm Paul C Leyland (Apr 19)
Re: passwd hashing algorithm Paul C Leyland (Apr 20)
Re: passwd hashing algorithm Paul C Leyland (Apr 21)
Re: passwd hashing algorithm Pete Hartman (Apr 24)