Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: Sean Davis <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 05/23/2002 07:35:12
In message <20020523095003.GA17947@endersgame.net>, Sean Davis writes:
>Hi, I have been looking into different password schemes recently, and was
>Is there any interest in adding the functionality for blowfish crypt() to
>NetBSD? I am thinking about porting the relevant code, but see no reason to
>do so unless others might want it as well.
>If there is enough interest to make it worth my while, I will port the code
>from OpenBSD, and add code so that it could be enabled/disabled in
>passwd.conf, as well as by the standard syntax for crypt (being that
>blowfish would use '2' instead of '1' in the salt argument to crypt())
>Any feedback is appreciated.
In my opinion, there's no technical reason to do it. If you want to
add a new scheme, SHA512 would be a much better choice. The only
reason I can see is password file compatibility with OpenBSD.
First, passwords are not "encrypted", they're *hashed*. That is,
encryption has the property that it's reversible; one can go from the
ciphertext to the plaintext. The password scheme is by intent
irreversible (see the Morris and Thompson paper in the November 1979
issue of CACM -- which, come to think of it, might be in the
newly-freed Unix documents) for more details on the design.
To achieve that, the DES-based scheme uses the password as the key when
encrypting a known value -- ciphers are designed to resist recovery of
the key. But that's what limited people to 8-character passwords --
that was the key length. Blowfish can do better, of course, but
there's really no point -- SHA512 is almost certainly as strong
cryptographically, and has no limit on input size. SHA512 *is* a
secure hash function, which is what the current scheme is trying to
emulate (secure hash functions didn't exist in 1979; they'd just barely
been speculated on).
If SHA512 falls to a cryptanalytic attack, all of our other
cryptographic hash functions (including MD5) will almost certainly fall
as well; they're based on the same principles. But such attacks are
almost certainly much harder than the real weak point of passwords:
As I recall, Blowfish uses 64-bit blocks. That alone is reason enough
to use SHA512, which uses 512-bit blocks: there's less chance of a
random collision (not that you'll see either collide).
(The only technical reason to even think about Blowfish is because its
key setup operation is slow. But you can achieve the same goal by
iterating SHA512 enough times. Frankly, I don't know which is slower,
a single SHA512 or a single Blowfish setup/encrypt operation.)
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)