Password hashing

Ben Laurie ben at links.org
Sat Oct 13 07:04:06 EDT 2007


Steven M. Bellovin wrote:
> On Thu, 11 Oct 2007 22:19:18 -0700
> james hughes <hughejp at mac.com> wrote:
> 
>> A proposal for a new password hashing based on SHA-256 or SHA-512 has
>> been proposed by RedHat but to my knowledge has not had any rigorous
>> analysis. The motivation for this is to replace MD-5 based password
>> hashing at banks where MD-5 is on the list of "do not use"
>> algorithms. I would prefer not to have the discussion "MD-5 is good
>> enough for this algorithm" since it is not an argument that the
>> customers requesting these changes are going to accept.
>>
> NetBSD uses iterated HMAC-SHA1, where the password is the key and the
> salt is the initial plaintext.  (This is my design but not my
> implementation.)

+1 to iterated HMAC-xxx, where xxx is a cryptographic hash of your choosing.

Easy to implement, hard to get wrong, somewhat understood security
properties.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list