tech-security: Re: default passwd.conf file

Subject: Re: default passwd.conf file
To: Tonnerre Lombard <tonnerre@thundrix.ch>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 06/27/2005 15:15:10
In message <87ekany8yt.fsf@jules.thundrix.ch>, Tonnerre Lombard writes:
>"Perry E. Metzger" <perry@wasabisystems.com> writes:
>> Unless there are quite solid objections, I would to to make the
>> following our standard /etc/passwd.conf:
>>
>> --------------------------------------------------
>> default:
>>         localcipher = md5
>>         ypcipher = old
>> --------------------------------------------------
>>
>> Note that there is no obvious reason to object. Old password files
>> will still work. New passwords will use md5, but if an admin doesn't
>> like that he can just change localcipher to old.
>
>I have to object that the use of md5 is discouraged since the end of
>last year at least, when a method was discovered to produce
>collissions in the MD5 keyspace in an automatic way using mathematics
>(so it's not a pure bruteforce type thing). The use of SHA1 is
>discouraged as well, since it's not clear how much it's influenced by
>the problems the MD family has. SHA256, SHA384, SHA512 and SHA768 are
>the recommended candidates.
>
>So I would suggest at least going for SHA1, since in contrast to MD5
>there's not yet a O(1) attack against it.

The attack on MD5 is a collision attack: it's possible to produce two 
input messages that have the same MD5 value.  That's not a threat that 
applies here -- at most, it means that you could pick two passwords 
that have the same hashed value.  I don't think that that's a threat -- 
but even if it were, the salting process would prevent someone from 
actaully creating two such passwd file entries.

SHA1 per se is threatened by the same attack, though the current 
results require 2^69 work to carry it out.  The attack is thus not 
practical.  Even if it were, the same comments apply: it's a collision 
attack, not a "preimage" attack.  Besides, our SHA1 code uses 
HMAC-SHA1, which completely negates the attack.

Moving away from the old DES-based design is important, not because DES 
is weak -- for this situation, that's far from the real issue -- but 
because it limits passwords to 8 characters.  MD5 and SHA1 are far 
better in that regard.  On a number of theoretical grounds, the SHA1 
design is better.  However, as far as I know no other systems have 
adopted that design, whereas the MD5 scheme is relatively common.  It 
thus makes a better default.

I should add that the real threat to any password scheme is offline 
guessing attacks.  None of these help much there....

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb