Subject: Re: crypt(3)
To: None <email@example.com>
From: Tim Newsham <firstname.lastname@example.org>
Date: 11/15/1994 15:50:45
> Christopher Klaus says:
> > Talking newsham on IRC on the #netbsd channel, I pointed out that md5 is a
> > lot faster to compute than des, so pw cracking would be easier. newsham
> > pointed out that you can take nth of the md5 string. so, it might be a good
> > idea to include with the salt, a variable for taking the md5 to the nth
> > so that cracking with big dictionaries arent dramatically speeded up.
> I think increasing the size of the salt to, say, 16 bits or even more,
> would also be effective at discouraging dictionary attacks. Also, with
> arbitrary length passwords dictionary attacks become much less
> practical provided people start to use longer passphrases.
Since I was brought into this :) I'll outline the scheme I had envisioned
The hash function would have two parameters, an input string and
a salt string. The output would be a single string whose initial
characters contain the salt information.
The salt would be made up of two parts. The first part would be a number
N. The second part would be a random string R. The lengths of these
two parameters would be fixed (but I havent decided what they should
be). The first character of the salt should be a constant to distinguish
it from normal crypt(3) output.
The value N would specify that the number of feedback rounds should
be 2^N. The random string R would permute the hash function so that
precomputed and partially compute dictionaries are not practical.
The input string should be passed through a hash function permuted
by R a total of 2^N times with the output of each phase being the
input to the next stage.. for example:
do 2^N times:
temp = input XOR (R, R, R, R, R, R)
output = hash(temp)
input = output
After the loop is complete the output should be converted to an
ascii representation and put together as:
(identifier, N, R, output)
where identifier uniquely identifies the hash scheme from all others.
The crypt(3) function should be modified to call the new hash function
if the proper identifier is seen in the salt string. Otherwise the
old DES based hash function should be run on the input string. The
password program should be modified to generate the new format salts.
It should be set up to allow the system administrator to pick the
value of N to choose. The system administrator should pick the value
N such that a hash operation takes approximately one second of real
time. As machines are upgraded the value N should be adjusted upwardly.
This allows the hash function to respond to technological advances and
allows administrators to trade off convenience for security.