[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: EPS support in future pam_unix replacement



> > Let me also suggest something: stop using non-iterated SHA-1 hashes
> > before they're used any wider.  Use a modern iterated hash intended
> > for passwords instead.
> 
> Could you please provide a pointer to information about these iterated
> hash algorithms? They are news to me.

Well, slower hashes are used to make key searches more expensive
since at least 24 years ago:

April 3, 1978
...
Password Security:
A Case History
...
IMPROVEMENTS TO THE FIRST APPROACH

Slower Encryption
...
Obviously, the first algorithm used was far too fast.
The announcement of the DES encryption algorithm [2]
by the National Bureau of Standards
was timely and fortunate.
The DES is, by design, hard to invert, but equally valuable
is the fact that it is extremely slow when implemented in
software.
...
Then the DES algorithm is iterated 25 times ...

These quotes are from the Unix V7 manual,
http://plan9.bell-labs.com/7thEdMan/vol2/password

My opinion is that the slow-in-software property of DES was in fact
undesirable (I'll avoid going into that much detail for this post),
but the use of multiple iterations was a good idea.

The 25 iterations effectively "stretch" the passwords by about 5 bits.

However, processors become faster while the size of passwords remains
about the same, so a constant iteration count isn't sufficient.  David
Burren's "FreeSec" (1994), which is an implementation of crypt(3) for
NetBSD (now used on all three *BSD's), adds a "new-style" mode where
a different iteration count (24-bit) may be specified on an installed
system (to be used for new passwords) without affecting compatibility.
(The same hashing method is also found on BSDI, and is actually used
there.  It is possible that their implementation appeared earlier, I
just don't know.)

I am now using this hashing method on some systems (Linux) at 100001
iterations.  In order to achieve the same level of security with the
traditional crypt(3), the users would need to remember 12 bit longer
passwords.

Finally, the Blowfish-based password hashes found on OpenBSD also
support a variable iteration count, and they're what we should be
using these days:

	http://www.openwall.com/crypt/
	http://www.usenix.org/events/usenix99/provos.html

Signed,
Solar Designer





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []