Password hashing
Damien Miller
djm at mindrot.org
Fri Oct 12 19:32:44 EDT 2007
On Thu, 11 Oct 2007, james hughes wrote:
> I forgot to add the links...
> http://people.redhat.com/drepper/sha-crypt.html
> http://people.redhat.com/drepper/SHA-crypt.txt
>
> On Oct 11, 2007, at 10:19 PM, james hughes wrote:
>
> > A proposal for a new password hashing based on SHA-256 or SHA-512 has been
> > proposed by RedHat but to my knowledge has not had any rigorous analysis.
> > The motivation for this is to replace MD-5 based password hashing at banks
> > where MD-5 is on the list of "do not use" algorithms. I would prefer not to
> > have the discussion "MD-5 is good enough for this algorithm" since it is not
> > an argument that the customers requesting these changes are going to accept.
Some comments:
* Use of an off-the-shelf algorithm like SHA1 might be nice for "tick here
for FIPS certification", but they render the hashing scheme more
vulnerable to dictionary attacks assisted by (near-)commodity hardware.
Contrast with OpenBSD's blowfish scheme, which is deliberately designed
to not be implementable using off-the-shelf crypto accelerator chips.
* Hideously obfuscated and overcomplicated. Comments like those on step 11
of the algorithm (some mumbo jumbo about a completely deterministic step
"adding randomness") and the absence of any rationale for the complexity
seem to indicate that they believe a complicated design will somehow
thwart attacks by itself.
* Why specify the number of rounds directly? Most password and KDF schemes
use an exponential scheme to match Moore's law.
-d
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list