OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1995: Re: passwd hashing algorithm

Re: passwd hashing algorithm

David A. Wagner (dawagnerphoenix.Princeton.EDU)
Mon, 17 Apr 1995 17:35:19 -0400 (EDT) 

Just one trivial elaboration on an informative message from
Steve Bellovin:
> 
>                          There's only one facet of triple DES that's
> at all useful here:  it provides an easy way to accept longer passwords.
> But as I've noted, there are other ways to do that.  (Double DES is
> most likely quite sufficient if you want to pursue that route, though;
> few people are going to use passwords longer than 16 characters, and
> the attacks on double DES described in the cryptographic literature
> require O(2^55) storage, if I recall correctly -- I may be off by a
> factor or so of 2.)
> 

If anyone actually plans to use double DES (or triple DES)
for hashing passwords (which I don't recommend), be aware
that there's a huge difference between:

1. 25 iterations of DES with the first 8 bytes of the
   password as key, followed by 25 iterations of DES
   with the second 8 bytes of password as key.

2. repeat 25 times:
     an iteration of DES with the first 8 bytes of the
     password as key, followed by an iteration of DES
     with the second 8 bytes of password as key.

(1) can be broken on a workstation with ~ 2^32 steps (and
very little in the way of memory); (2) is probably very
strong.  The same comment goes for triple DES.

The moral of the story?  If you wanna hash a long string,
use a hash function (i.e. MD5), not a block cipher; or
else be very careful. :-)

-------------------------------------------------------------------------------
David Wagner                                             dawagnerprinceton.edu