Re: CISCO MD5 encryption

[Jeffrey Walton <noloader () gmail com>]

On Tue, Feb 22, 2011 at 6:59 PM, Saif El Sherei <SSherei () npcegypt com> wrote:
> I forgot to mention it's salted hashed that's used by Linux distros, open-ssl
> and a lot of popular web applications.
As previously stated - folks are engineering collisions on it. MD5 is
broken, regardless of who is using it. I'm not even sure it can be
used as a PRF, But that's not stopping FreeBSD (they also use ARC4,
which is biased).

Linux distros: I believe they are using Blowfish by default for the
password file. For those who have down graded, I hope you (or myself)
don't have an account on the system

open-ssl: OpenSSL supports the algorithm. However, if you generate a
new certificate, then SHA1 is used. The problems with OpenSSL defaults
are (1) RSA moduli of 512 by default, and (2) SHA1 by default. 112
bits of security is now recommended. That means moduli of 2048 and
SHA-224.

Popular web applications: they may be popular, but they are not
secure. For example, I recently looked at vBulletin and PhpBB.
vBulletin uses MD5, and (I believe) PhpBB uses it under certain
circumstances (if it uses hashing at all). Neither can pass an audit.

Jeff

[SNIP]

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------