Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: passwd hashing algorithm

From: dawagner () phoenix Princeton EDU (David A. Wagner)
Date: Mon, 17 Apr 1995 17:35:19 -0400 (EDT)

Just one trivial elaboration on an informative message from
Steve Bellovin:


                         There's only one facet of triple DES that's
at all useful here:  it provides an easy way to accept longer passwords.
But as I've noted, there are other ways to do that.  (Double DES is
most likely quite sufficient if you want to pursue that route, though;
few people are going to use passwords longer than 16 characters, and
the attacks on double DES described in the cryptographic literature
require O(2^55) storage, if I recall correctly -- I may be off by a
factor or so of 2.)



If anyone actually plans to use double DES (or triple DES)
for hashing passwords (which I don't recommend), be aware
that there's a huge difference between:

1. 25 iterations of DES with the first 8 bytes of the
   password as key, followed by 25 iterations of DES
   with the second 8 bytes of password as key.

2. repeat 25 times:
     an iteration of DES with the first 8 bytes of the
     password as key, followed by an iteration of DES
     with the second 8 bytes of password as key.

(1) can be broken on a workstation with ~ 2^32 steps (and
very little in the way of memory); (2) is probably very
strong.  The same comment goes for triple DES.

The moral of the story?  If you wanna hash a long string,
use a hash function (i.e. MD5), not a block cipher; or
else be very careful. :-)

-------------------------------------------------------------------------------
David Wagner                                             dawagner () princeton edu
Previous By Date Next
Previous By Thread Next

Current thread: