current-users: Re: PROPOSAL: adding capability for blowfish passwords

Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: Sean Davis <dive-nb@endersgame.net>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 05/23/2002 07:35:12
In message <20020523095003.GA17947@endersgame.net>, Sean Davis writes:
>Hi, I have been looking into different password schemes recently, and was
>wondering:
>Is there any interest in adding the functionality for blowfish crypt() to
>NetBSD? I am thinking about porting the relevant code, but see no reason to
>do so unless others might want it as well.
>
>If there is enough interest to make it worth my while, I will port the code
>from OpenBSD, and add code so that it could be enabled/disabled in
>passwd.conf, as well as by the standard syntax for crypt (being that
>blowfish would use '2' instead of '1' in the salt argument to crypt())
>
>Any feedback is appreciated.

In my opinion, there's no technical reason to do it.  If you want to 
add a new scheme, SHA512 would be a much better choice.  The only 
reason I can see is password file compatibility with OpenBSD.

First, passwords are not "encrypted", they're *hashed*.  That is, 
encryption has the property that it's reversible; one can go from the 
ciphertext to the plaintext.  The password scheme is by intent 
irreversible (see the Morris and Thompson paper in the November 1979 
issue of CACM -- which, come to think of it, might be in the 
newly-freed Unix documents) for more details on the design.

To achieve that, the DES-based scheme uses the password as the key when 
encrypting a known value -- ciphers are designed to resist recovery of 
the key.  But that's what limited people to 8-character passwords -- 
that was the key length.  Blowfish can do better, of course, but 
there's really no point -- SHA512 is almost certainly as strong 
cryptographically, and has no limit on input size.  SHA512 *is* a 
secure hash function, which is what the current scheme is trying to 
emulate (secure hash functions didn't exist in 1979; they'd just barely 
been speculated on).

If SHA512 falls to a cryptanalytic attack, all of our other 
cryptographic hash functions (including MD5) will almost certainly fall 
as well; they're based on the same principles.  But such attacks are 
almost certainly much harder than the real weak point of passwords:  
guessability.

As I recall, Blowfish uses 64-bit blocks.  That alone is reason enough 
to use SHA512, which uses 512-bit blocks:  there's less chance of a 
random collision (not that you'll see either collide).

(The only technical reason to even think about Blowfish is because its 
key setup operation is slow.  But you can achieve the same goal by 
iterating SHA512 enough times.  Frankly, I don't know which is slower, 
a single SHA512 or a single Blowfish setup/encrypt operation.)

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)