PHK's MD5 might not be slow enough anymore

Poul-Henning Kamp phk at phk.freebsd.dk
Thu Jan 28 22:37:06 UTC 2010 

In message <20100128182413.GI892 at noncombatant.org>, Chris Palmer writes:

>        /*
>         * and now, just to make sure things don't run too fast
>         * On a 60 Mhz Pentium this takes 34 msec, so you would
>         * need 30 seconds to build a 1000 entry dictionary...
>         */

A number of points:

1. I'm not sure slowing it down buys very much security, as far as
   I know, brute-forcing $1$ is still out of the question, mostly 
   because of the wide salt.

2. Most "brute force" attacks are dictionary attacks, and slowing
   the algorithm down for those is pointless:  The bad guys have
   grids of Nx100k machines to grind.  Even making it take half a
   second will not inconvenience them much.

3. Compatibility: as far as I know, we have a configurable mechanism
   for choosing preferred crypt algo for new passwords, and
   autodetection on old passwords.

4. Encoding #rounds:  one of the OpenBSD derivatives for $1$ does that,
   consider adoption, rather than NIH.  Increased strength against
   rainbow and dictionaries can be had by making the low bits in
   #rounds a salt.

5. Cross system compat: A valid concern in some environments (See
   #3) and not in others.  Certainly not a valid reason to never 
   change algorithm again (see #6).

6. The major point behind $1$ was lost:  You can change algorithm with
   a frequency of twice your password expiry time.  My intent back
   in the middle of the nineties was not to write the "endlösung"
   for password encryption, but rather to point out that password
   hashing is "kleenex-crypto" which can, and should, be swapped at
   regular intervals.  Every 15 years may be sufficiently regular.

7. Consider preempting the bike-shed, by asking some card-carrying
   cryptographers for the correct way to employ a crypto-hash algorithm
   in a way that does soak up some CPU time.

8. A number of interesting ideas was battered about back when $1$
   was introduced, check mail archives and read the OpenBSD paper,
   even though it is mostly plagarism.

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the freebsd-security mailing list