Re: Digital Unix 4 protected password database.

[kap () UAKRON EDU (Keith Piepho)]

At 05:47 PM 3/10/99 +0000, you wrote:

> Paul Leyland told me, many years ago, that one or more of the
> "Enhanced Security" crypt-replacements are actually less secure
> than traditional crypt() in many respects.
>
> Consider the:
>
>       crypt first 8 chars
>       crypt remaining 8 chars
>       join the two ciphertexts
>
> ...mechanism; assuming people choose passwords which are (a) plain
> dictionary words and (b) only slightly longer than 8 characters, then:
>
>       plaintext = wheatsheaf
>       first 8 chars = wheatshe
>       last 8 chars = af
>
> ...the cracker may brute-force the latter ciphertext with its implicit
> small keyspace, and then (eg:) go hunting for words in dictionaries
> which are 10 characters long and whose last characters are "af",
> thereby possibly reducing the search space for the first 8 characters
> *very* significantly.

I think your specific example here is a little off, since it assumes that a
cracker has the encrypted password and a dictionary that contains it.  If
these two suppositions are true, the fight is already over, and you have
lost.

Focusing on the case in which the password is a dictionary word obscures
the real problem:  to compensate for the insecurity of an 8 character
password, DEC has replaced it with what appears to be a 16 character
password scheme, but is in reality just 2 8 character passwords, doubling
instead of squaring the size of the keyspace that must be searched.  (and
much less than doubling, in the case of the all-too-frequent short second
keys which will occur.)  Nothing like the illusion of security to keep the
managers sleeping soundly at night.

The alternate scheme you mention (in the part I cut) of encrypting the
first 8 characters and the last 8 seems to me to result in a 16 char
keyspace.  Clever.


        -- - keith
--
Keith Piepho                    kap () uakron edu
Technical Services              (330) 972-6130
The University of Akron