[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



"Craig R.P. Heath" writes:
>No, you're right, that was the weakness I was thinking of.  I do think
>that collisions are of significant concern in password algorithm
>though.  If I'm doing an exhaustive search against an encrypted
>password, and there are actually four possible strings which hash to
>that value, then on average I will find a password that works four
>times more quickly.

Look, it's a digest.  If it's good, it has infinitely many collisions!
(If it doesn't have infinitely many collisions for any particular
digest, then it is not equally weighted, and so is a bad digest
algorithm.)

But you are wrong that that if you have four possible strings, you
will find the result four times as quickly, and, in fact, what I just
said proves it ad absurdum.  There are infinitely many collisions, but
it is not inifinitely "faster" (faster than what?) because "inifinitely
faster", if it has any meaning at all, means "instantaneously", which
is clearly not true.

Essentially, worthwhile crack attempts are not random; they use human
language information characteristics to narrow the search, and within
those boundaries, collisions will be much less likely, and there are
probably very few collisions between the relatively short strings that
people use as passwords anyway.

There is absolutely no type of password crack known or in use that any
known weakness of MD5 is affected by.  That doesn't mean that such a
thing will never be found, but the fact that some of the world's top
cryptographers are having such a difficult time attacking MD5 indicates
that it is pretty good.  And one of the characteristics of a good digest,
remember, is extremely few collisions for relatively short strings (that's
relative to the digest length).

>Having said that, I'm sure collisions are possible
>with the libcrypt algorithm too, and I don't have any information as to
>which is worse.  I only wished to point out that MD5 wasn't necessarily
>better.
...
>Quite right, I wasn't defending the 8 character limit.  Several
>implementations (ours among them) use an extension of the libcrypt
>algorithm which handles long passwords as a chain of 8-character
>chunks; each chunk provides the salt for the next one.  I'm quite
>happy with that.

As long as they are true cipher feedback (early ones had no feedback
at all, not even plaintext feedback, and so *reduced* the quality
of the password the longer they got...), that's fine.  But you suggest
that crypt is also a hash, and you can do both cipher feedback and
plaintext feedback with chaining md5 rounds as well.  plaintext
feedback is trivial -- it's so easy that I've done it, using the
standard md5 API.  cipher feedback might be a tiny bit harder.

If someone could push a better md5-based implementation through, that
would be cool.  It's much easier to get digest-based authentication
schemes out of the US...  But who is going to convince everyone to
change password algorithms *again*?  Not me.  :-)

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []