On Mon, Apr 05, 2010 at 03:03:57PM -0500, Mike Gerdts wrote:
> On Mon, Apr 5, 2010 at 2:35 PM, Nicolas Williams
> <[email protected]> wrote:
> > MD5 crypt is much better than the old Unix crypt. Collision attacks on
> > hash functions are not interesting in this case (what are you trying to
> > collide with?). Pre-image attacks are interesting; there are still no
> > known pre-image attacks on MD5.
>
> Ahh, thanks. I was thinking of potential pre-image attacks and
> misusing the term collision attack.
Also, as Jeff points out, the main benefit is in the greater length of
passwords that MD5 crypt allows.
> Initially I only found the table (hashes per second using John the
> Ripper) interesting, but a quick glance at the referenced document
> suggests it may be a good read too. Last time I looked, John didn't
> support SHA{256,512} and as such the timings are not available, hence
> numbers are not readily available. To a certain degree it implies
> that script kiddies will have no chance because the code isn't written
> (in the most obvious place).
Modern crypt variations have an iteration count, such that to slow down
crypt() you need only increase the iteration count instead of having to
replace the underlying cryptographic algorithm.
For you the main issue may well be interoperability. Find a non-Unix
crypt supported by all OSes that you're using/supporting and use that.
> > By protecting crypted
> > passwords from being read by attackers you prevent the attack in the
> > first place.
>
> Of course. I'm shopping for a belt and suspenders. :)
If you're using NIS then you get not much in the way of belt and
suspenders.
Nico
--
_______________________________________________
security-discuss mailing list
[email protected]
