-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/01/28 12:11, Chris Palmer wrote: > Xin LI writes: > >> The slowness was useful at the time when the code was written, but I don't >> think it would buy us as much nowadays, expect the slowness be halved from >> time to time, not to mention the use of distributed techniques to >> accelerate the build of dictionaries. > > The goal is to make the attacker *have* to use distributed techniques and to > buy more gear, rather than simply be able to brute them all in a few minutes > on a single cheap PC. MD5_SLOW is the factor by which you increase the > attacker's cost; it is easy for the defender to go very high here because > checking any one password is still fast. Distributed attacks existed when > PHK wrote the code originally, too -- I don't think anything has > fundamentally changed since then. Attackers use arrays of GPUs now? Ok, > increase MD5_SLOW some more.
Isn't it a losing battle, if we increase something linearly to defeat something growing in geometric order? Defenders must carefully protect all weak points, while the attacker simply go the weakest chain of the whole system. >> Second, recent research has shown MD5 to be vulnerable to collision >> attacks [1] by the end of 2008. > > I'm not sure that attack against MD5 is relevant here, because we're not > using it in a way where collisions hurt. (Someone correct me if I'm wrong.) Yes and no. Collision attacks themselves would do nothing against our scenario. The design in crypt-md5.c not only "slow down" the computation, but also introduced additional protection by using intermediate hashes when doing the computation, like OPIE, which makes collision harder to use. > In fact, moving to a modern hash would weaken the defense, because e.g. > Skein is brilliantly fast -- the opposite of our goal. Modern hash algorithms are fast, but fast by itself is not anything wrong. Another benefit newer hash algorithms usually give is much more output bits, and every bit in the output, doubles the space needed to store the dictionary needed by the attacker, as well as the numbers of samples they presumably need to compute, while halving the chance they generate a collision for one given round. Cheers, - -- Xin LI <delp...@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLYfw8AAoJEATO+BI/yjfBTkIIAIp7NzGUdxqoRw7MbK/TzfOH Rx2cQzn/ld0eVTdPLHWBCShPgajcWiH99j3XPU7nj+JSl+B3qitmEu+Am/zT5GhZ wv8B9Vp+0aHrsOTdVEGw4yYHtE93VDEAzkdJ1PZndVJl/TSAWoxvIfkIkuLUJMp8 9zO53dSkM1EzIveTk5lCbDErYL8AlN+A1tIeycRTaFUhEbbRWzvcRzZ9iqCfUoB9 3WvHMykbFYfLHHEbT0dwQ3M1JzDDl51sBqxGUEUYlMkvfgrBa29r+LpvxO6+8ZiY aHrXZFU5O5RGNlJSRbbT0CkFKkpVWmLkyvJ2zhDEoIQx9Hpn8YRta6JqushEW8o= =ZB3V -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
