Steven M. Bellovin wrote:

>In message <87ekany8yt.fsf@jules.thundrix.ch>, Tonnerre Lombard writes:
>  
>
>>"Perry E. Metzger" <perry@wasabisystems.com> writes:
>>    
>>
>>>Unless there are quite solid objections, I would to to make the
>>>following our standard /etc/passwd.conf:
>>>
>>>--------------------------------------------------
>>>default:
>>>        localcipher = md5
>>>        ypcipher = old
>>>--------------------------------------------------
>>>
>>>Note that there is no obvious reason to object. Old password files
>>>will still work. New passwords will use md5, but if an admin doesn't
>>>like that he can just change localcipher to old.
>>>      
>>>
>>I have to object that the use of md5 is discouraged since the end of
>>last year at least, when a method was discovered to produce
>>collissions in the MD5 keyspace in an automatic way using mathematics
>>(so it's not a pure bruteforce type thing). The use of SHA1 is
>>discouraged as well, since it's not clear how much it's influenced by
>>the problems the MD family has. SHA256, SHA384, SHA512 and SHA768 are
>>the recommended candidates.
>>
>>So I would suggest at least going for SHA1, since in contrast to MD5
>>there's not yet a O(1) attack against it.
>>    
>>
>
>The attack on MD5 is a collision attack: it's possible to produce two 
>input messages that have the same MD5 value.  That's not a threat that 
>applies here -- at most, it means that you could pick two passwords 
>that have the same hashed value.  I don't think that that's a threat -- 
>but even if it were, the salting process would prevent someone from 
>actaully creating two such passwd file entries.
>
>SHA1 per se is threatened by the same attack, though the current 
>results require 2^69 work to carry it out.  The attack is thus not 
>practical.  Even if it were, the same comments apply: it's a collision 
>attack, not a "preimage" attack.  Besides, our SHA1 code uses 
>HMAC-SHA1, which completely negates the attack.
>
>Moving away from the old DES-based design is important, not because DES 
>is weak -- for this situation, that's far from the real issue -- but 
>because it limits passwords to 8 characters.  MD5 and SHA1 are far 
>better in that regard.  On a number of theoretical grounds, the SHA1 
>design is better.  However, as far as I know no other systems have 
>adopted that design, whereas the MD5 scheme is relatively common.  It 
>thus makes a better default.
>
>I should add that the real threat to any password scheme is offline 
>guessing attacks.  None of these help much there....
>
>		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>  
>
Well said and on the mark in my opinion.  Seperating "vulnerability" from
"threat" or "threat environment" takes a given vulnerability out of context.
vr
bad bob

-- 
Dance like no one is watching, sing like no one is listening, live like it is your last day.