Bugtraq mailing list archives

Re: passwd hashing algorithm

From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Fri, 21 Apr 95 7:09:41 CDT

1. 25 iterations of DES with the first 8 bytes of the
   password as key, followed by 25 iterations of DES
   with the second 8 bytes of password as key.

   [ ... better version deleted ... ]

(1) can be broken on a workstation with ~ 2^32 steps (and
very little in the way of memory);


I've never seen anything resembling a convincing argument for this point.


Hrmm, well, I could give you the crypto explanation...do you
want me to?  [Keywords: meet-in-the-middle, birthday attack]

If not, I issue you a challenge.  I've included a small
program at the end which implements (1) using libdes:

$ ./newcrypt abcdefgh 12345678
E7 B3 AF 1E D5 A8 34 10
$ ./newcrypt xxxx yyyy
5D 4F 2F 99 F4  1 69 B3

Compile it with libdes.a and make sure you get the same
output for the test data above (for portability).  Pick
your own two password strings (at most 8 bytes long each)
and send or post the output of the program.

I'll find two password strings of my own which give the
same output (but they're *not* necessarily the same as your
two strings: they just produce the same hash!).

 
Now that I've had time to read what you've written here, you've attacked
something completely different from what you appear to have described
earlier.  Shadow's long password scheme appends the output of each round
of crypt() to the output for the previous rounds.  Your function uses
0 as the initial key (same as UNIX crypt), but the output of the previous
round as the initial key for the second round (not the same) and produces
a single 8 byte result.  That I will gladly concede is useless.

Sorry to the rest of you bugtraq folks: I would be taking
this to personal email, except for the fact that someone
actually uses the broken scheme -- yikes! -- that's my ObBug.


So far the planet is safe -- no one does this that I know of ...
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org

Current thread:

Re: virus, (continued)
- - - Re: virus eli (Apr 23)
    - The list Jon Green (Apr 23)
    - Re: passwd hashing algorithm John F. Haugh II (Apr 20)
    - Re: passwd hashing algorithm Charlie Watt (Apr 21)
    - Re: passwd hashing algorithm John F. Haugh II (Apr 21)
    - Re: passwd hashing algorithm Timothy Newsham (Apr 21)
    - Re: passwd hashing algorithm John F. Haugh II (Apr 23)
    - RE: virus Erich W. Gunther (Apr 23)
    - Re: passwd hashing algorithm David Miller (Apr 19)
    - Re: passwd hashing algorithm David A. Wagner (Apr 19)
    - Re: passwd hashing algorithm John F. Haugh II (Apr 21)
    - AntiFlash talkd Richard Allen (Apr 19)
    - Re: AntiFlash talkd James M. Golovich (Apr 19)
    - Password Storage as Environment Variable Bill Bradley (Apr 19)
- Re: passwd hashing algorithm John Adams (Apr 17)
- Re: passwd hashing algorithm Paul C Leyland (Apr 19)
- Re: passwd hashing algorithm Paul C Leyland (Apr 20)
  - Re: passwd hashing algorithm John F. Haugh II (Apr 23)
  - Re: passwd hashing algorithm Marek Michalkiewicz (Apr 24)
- Re: passwd hashing algorithm Paul C Leyland (Apr 21)
- Re: passwd hashing algorithm Pete Hartman (Apr 24)