RE: Radius access from provider to internal MS ISA Server

[Paul Robertson <proberts () patriot net>]

On Sun, 7 Jul 2002, Ben Nagy wrote:

> > IMO, strong passwords are dead- dictionaries are too good 
> > now, if you're 
> > using reusable passwords, you should assume compromised 
> > credentials at 
> > some level, esepcially if a third party gets to participate.
>
> I can't buy that without being shown more numbers. A space/time attack
> may be possible, since md5 is so damn fast, but I think we're still
> looking at incredible power being required here. 

I don't have great numbers, which is why I used the ones and the 
recommendations from the draft cited- so I'll just offer some inferances 
which may or may not be useful...

> I'm not good at this sort of stuff, but for the space required for the
> md5sums of typeable passwords at 12 characters I get 5.94e24 bytes, not

I'm assuming that's 116 printable characters?

> counting line separation. For time,with the 4.1e6 ops/second figure you
> quoted elsewhere for md5, I took a million processors and came out at
> about 6000 years for the mean for brute force. That's enough for me to
> retain some hope. Have I screwed up completely somewhere? Did you mean
> to say "memorable" instead of "reusable" ?

The 4.1e6/sec figure seems to be for something akin to a 1GHz Athlon.  
That doesn't take into account things like SSL accelerator cards, 
custom ASICs or even faster/wider chips (Solar Designer is claiming 80% 
performance improvements on Alpha EV5 chips by doing two hashes at once in 
the latest version of John the Ripper- my Alpha is full of EV4s, but 
I'll bench it when I get time.)  

I'm not sure of the raw performance of the IPSec/SSL accelerators for MD5 
alone, I'm sure much of the 350-800% increase are in the more compute intensive 
algorithms (but certainly I'll pick one up and see what it can do at some 
point in the near future now they're relatively cheap) I don't know how 
the range of ~400Mb/s to 800Mb/s of MD5 throughput translates to 
keys/second- let alone the newer 4.5Gb/s ones.  

In '94 the estimates for finding a collison in MD5 were 24 days for a $10M 
custom-built machine.  With custom ASIC/PLD advances, my *guess* is that 
you could do pretty well with a "designed on a Web site or at University" 
chip for less than the cost of a new car.

None of these things is horrible, but they all start to crack at the wall.  

I didn't get a sense from the draft of how 12 characters was at the lowest 
bound, but I'll try to do some more digging once I'm off vacation and can 
talk to a few more math/crypto savvy folks about some of my assumptions.

Until then, I'd appreciate any other insights people have.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards