tech-security: Re: /etc/passwd.conf

Subject: Re: /etc/passwd.conf
To: Steven M. Bellovin <smb@research.att.com>
From: Theo de Raadt <deraadt@cvs.openbsd.org>
List: tech-security
Date: 08/05/2003 22:10:09
> In message <20030805230630.15C7E13@coconut.itojun.org>, itojun@iijlab.net write
> s:
> 
> >
> >>I realize that I can set the defaults to md5, even if the default
> >>default changes to blowfish.  But given that blowfish is a boutique
> >>cipher, I would want to see a strong argument that there is something
> >>wrong with the md5 method before changing the default.  (Sorry if this
> >>has been made and I missed it.)
> >
> >	please read this.
> >	http://www.usenix.org/events/usenix99/provos/provos_html/
> >	Niels Provos and David Mazie`res, "A Future-Adaptable Password Scheme",
> >	1999 USENIX Annual Technical Conference
> >
> 
> I read it last time this subject came up.  I didn't agree with them 
> then, and I don't agree now.

So you would prefer to use the FreeBSD MD5 code, which the author
himself has said was cobbled together, without paying real attention
to the real mathematics of cryptography?

When it contains stuff like this:

        /* Then something really weird... */
        for (i = strlen(pw); i ; i >>= 1)
                if(i&1)
                    MD5Update(&ctx, final, 1);
                else
                    MD5Update(&ctx, (const unsigned char *)pw, 1);

Let me be very clear: FreeBSD MD5 ciphers are not a pure 'MD5
password' algorithm.  MD5 is too fast.  Rather, the code in question
uses MD5 internally, in many complicated and messed up ways that the
author threw together to try to make it sufficiently slow.

You've got three choices.

DES.

OpenBSD bcrypt.  (And to be clear: It is not blowfish; like the FreeBSD
MD5, bcrypt uses blowfish internally.  But that is where things stop being
similar, since bcrypt uses blowfish in cryptographically correct ways).

FreeBSD MD5.

So, Steve would prefer to use cobbled together FreeBSD MD5 stuff.

Will the real Steve Bellovin please stand up, the one who was involved
in a number of security publications?  Because I think the one who
just posted here must be a fraud.

Otherwise, start explaining WHY you disagree instead of just argueing
with your reputation.