Subject: Re: default passwd.conf file
To: None <tech-security@NetBSD.org>
From: bob smith <sfmc68@verizon.net>
List: tech-security
Date: 06/27/2005 17:55:45
Steven M. Bellovin wrote:
>In message <87ekany8yt.fsf@jules.thundrix.ch>, Tonnerre Lombard writes:
>
>
>>"Perry E. Metzger" <perry@wasabisystems.com> writes:
>>
>>
>>>Unless there are quite solid objections, I would to to make the
>>>following our standard /etc/passwd.conf:
>>>
>>>--------------------------------------------------
>>>default:
>>> localcipher = md5
>>> ypcipher = old
>>>--------------------------------------------------
>>>
>>>Note that there is no obvious reason to object. Old password files
>>>will still work. New passwords will use md5, but if an admin doesn't
>>>like that he can just change localcipher to old.
>>>
>>>
>>I have to object that the use of md5 is discouraged since the end of
>>last year at least, when a method was discovered to produce
>>collissions in the MD5 keyspace in an automatic way using mathematics
>>(so it's not a pure bruteforce type thing). The use of SHA1 is
>>discouraged as well, since it's not clear how much it's influenced by
>>the problems the MD family has. SHA256, SHA384, SHA512 and SHA768 are
>>the recommended candidates.
>>
>>So I would suggest at least going for SHA1, since in contrast to MD5
>>there's not yet a O(1) attack against it.
>>
>>
>
>The attack on MD5 is a collision attack: it's possible to produce two
>input messages that have the same MD5 value. That's not a threat that
>applies here -- at most, it means that you could pick two passwords
>that have the same hashed value. I don't think that that's a threat --
>but even if it were, the salting process would prevent someone from
>actaully creating two such passwd file entries.
>
>SHA1 per se is threatened by the same attack, though the current
>results require 2^69 work to carry it out. The attack is thus not
>practical. Even if it were, the same comments apply: it's a collision
>attack, not a "preimage" attack. Besides, our SHA1 code uses
>HMAC-SHA1, which completely negates the attack.
>
>Moving away from the old DES-based design is important, not because DES
>is weak -- for this situation, that's far from the real issue -- but
>because it limits passwords to 8 characters. MD5 and SHA1 are far
>better in that regard. On a number of theoretical grounds, the SHA1
>design is better. However, as far as I know no other systems have
>adopted that design, whereas the MD5 scheme is relatively common. It
>thus makes a better default.
>
>I should add that the real threat to any password scheme is offline
>guessing attacks. None of these help much there....
>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
Well said and on the mark in my opinion. Seperating "vulnerability" from
"threat" or "threat environment" takes a given vulnerability out of context.
vr
bad bob
--
Dance like no one is watching, sing like no one is listening, live like it is your last day.