Bugtraq mailing list archives
Re: passwd hashing algorithm
From: dawagner () phoenix Princeton EDU (David A. Wagner)
Date: Wed, 19 Apr 1995 00:21:09 -0400 (EDT)
1. 25 iterations of DES with the first 8 bytes of the password as key, followed by 25 iterations of DES with the second 8 bytes of password as key.
[ ... better version deleted ... ]
(1) can be broken on a workstation with ~ 2^32 steps (and very little in the way of memory);I've never seen anything resembling a convincing argument for this point.
Hrmm, well, I could give you the crypto explanation...do you want me to? [Keywords: meet-in-the-middle, birthday attack] If not, I issue you a challenge. I've included a small program at the end which implements (1) using libdes: $ ./newcrypt abcdefgh 12345678 E7 B3 AF 1E D5 A8 34 10 $ ./newcrypt xxxx yyyy 5D 4F 2F 99 F4 1 69 B3 Compile it with libdes.a and make sure you get the same output for the test data above (for portability). Pick your own two password strings (at most 8 bytes long each) and send or post the output of the program. I'll find two password strings of my own which give the same output (but they're *not* necessarily the same as your two strings: they just produce the same hash!). Gimme a week or so to whip up the program and find the spare CPU cycles -- I'll need 2^36 DES ops, which is just large enough to be a small pain in the ass for me. This should be enough to convince you that it's useless as a password hashing scheme (I hope!). If I'm mistaken here, I'm sure someone will inform me, and all the egg will be on my face :-)
SecureWare uses a mechanism similar to this and it is part of one of their security offerings. I've used a slightly different, but similar, approach for several years
Good lord! Can anyone give more details? [ The details tend to matter in this business: something similar but slightly different might be safe. :-) ] Sorry to the rest of you bugtraq folks: I would be taking this to personal email, except for the fact that someone actually uses the broken scheme -- yikes! -- that's my ObBug. ------------------------------------------------------------------------------- David Wagner dawagner () princeton edu /* newcrypt.c -- Dave Wagner dawagner () princeton edu */ #include <stdio.h> #include "des.h" #define ITERS 25 do_onekey(in, k) des_cblock *in; unsigned char *k; { des_cblock out, key; des_key_schedule sched; int i; bzero((unsigned char *) &key, sizeof(des_cblock)); strncpy((unsigned char *) &key, k, sizeof(des_cblock)); des_set_odd_parity(&key); des_set_key(&key, sched); for (i=0; i<ITERS; i++) { des_ecb_encrypt(in, &out, sched, /* encrypt */ 1); bcopy(&out, in, sizeof(des_cblock)); /* in := out; */ } } main(argc, argv) int argc; char **argv; { des_cblock in; unsigned char *p; int i; if (argc != 3) { fprintf(stderr, "Usage: %s key1 key2\n", argv[0]); exit(1); } bzero(&in, sizeof(des_cblock)); do_onekey(&in, argv[1]); do_onekey(&in, argv[2]); p = (unsigned char *) ∈ for (i=0; i<8; i++) printf("%2X ", *p++); printf("\n"); return(0); }
Current thread:
- Re: passwd hashing algorithm, (continued)
- Re: passwd hashing algorithm Louis Taber (Apr 13)
- Re: passwd hashing algorithm maquis (Apr 14)
- Re: passwd hashing algorithm John F. Haugh II (Apr 16)
- Re: passwd hashing algorithm Charles Howes (Apr 14)
- Re: passwd hashing algorithm maquis (Apr 14)
- Re: passwd hashing algorithm der Mouse (Apr 14)
- Re: passwd hashing algorithm smb () research att com (Apr 14)
- Re: passwd hashing algorithm Dennis Glatting (Apr 15)
- Re: passwd hashing algorithm smb () research att com (Apr 16)
- Re: passwd hashing algorithm David A. Wagner (Apr 17)
- Re: passwd hashing algorithm John F. Haugh II (Apr 18)
- Re: passwd hashing algorithm David A. Wagner (Apr 18)
- Re: passwd hashing algorithm Charlie Watt (Apr 19)
- Re: passwd hashing algorithm Tom Fitzgerald (Apr 19)
- Re: passwd hashing algorithm Charlie Watt (Apr 20)
- The Dan Farmer rap Julian Assange (Apr 17)
- Re: The Dan Farmer rap Jonathan M. Bresler (Apr 20)
- Re: The Dan Farmer rap John Evans (Apr 20)
- Re: The Dan Farmer rap James O Ausman (Apr 21)
- Re: passwd hashing algorithm David A. Wagner (Apr 17)
- Re: The Dan Farmer rap Aleph One (Apr 20)
- Re: The pitiful rap Everett F Batey WA6CRE (Apr 21)
- Re: passwd hashing algorithm Louis Taber (Apr 13)
- Re: passwd hashing algorithm Dave Sill (Apr 20)