[Dshield] Crypto Question

Micheal Patterson micheal at spmedicalgroup.com
Wed Mar 4 06:03:19 GMT 2009 

----- Original Message ----- 
From: "Jon Kibler" <Jon.Kibler at aset.com>
To: "General DShield Discussion List" <list at lists.sans.org>
Sent: Tuesday, March 03, 2009 7:10 PM
Subject: [Dshield] Crypto Question


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Is there a good crypto mailing list for "manager" level questions? The
> Security Focus crypto list appears to be dead. Where would be a more
> appropriate place to ask the follow question?
>
> I am having a surreal conversation with a client's auditors regarding
> MD5, and I need some advice about the issue. I understand the basic
> issues with MD5, but I am having a hard time conveying the issue to the
> client in a way that moves the discussion of the issue forward.
>
> It all started with a clueless regulatory auditor finding that the
> client's Linux servers used MD5 password hashes. The auditor told the
> client that regulations prohibit the use of MD5 and that they had to use
> at least SHA-1 hashes.
>
> I explained to the client that SHA-1 was not an option. They could have
> DES, which was highly insecure, or they could have the Linux standard
> MD5, which was highly secure (assuming reasonable passwords), or they
> could have BlowFish, which would cost them a lot of money to implement
> and would give them a ridiculous degree of password security.
>
> They contacted the auditors, whose response was "MD5 cannot be used
> because MD5 is broken, and BlowFish is not a recognized standard so it
> cannot be used. Since DES is a standard and it is not broken that is
> what you must use."
>
> I tried to argue that was an assinie answer (but using more polite
> phrasing), and got no where. I then tried some different tactics:
>
>  Comment: The issue with MD5 was not with password hashing, rather it
> was with MACs, and the issue was essentially irrelevant for password
> hashing.
>  Response: Any and all uses of MD5 are prohibited.
>
>  Q: If MD5 is broken, why do you allow it for IPSec?
>  A: IPSec is not an MD5 algorithm.
>
>  Q: If MD5 is broken, why do you allow it in the VoIP phones for SIP?
>  A: SIP is not MD5.
>
>  Q: Your standard says that SSL 2.x and SSL 3.x are allowable protocols
> (but TLS is not!), and both use MD5, so why is SSL allowed?
>  A: As long as the SSL certificates are not MD5, there is no use of MD5
> by SSL.
>
> Clearly, the auditors and/or regulators are clueless. If I can't win
> this war, how can I at least bring this to a reasonable conclusion where
> my customer has decent strength password hashing?
>
> What would be a better list to ask this question on?
>
> THANKS!
>
> Jon K.
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>


While this may or may not be helpful, DES was broken in 22 hours by EFF and
Distributed.net back in 1999 as indicated at
http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19990119_deschallenge3.html


NIST indicates that MD5 was broken in 2004 and SHA-1 in 2005 in their
document available at
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2005-12/B_Burr-Dec2005-ISPAB.pdf

Quoted from the PDF:

"Only two in wide use in US today
            -MD5
.Invented by Ron Rivest circa 1992
.128-bit hash
."Almost broken" by Hans Dobbertin circa 1995
.Fully broken by collision attack Wang et. al.2004

            -SHA-1
.Developed by NSA circa 1995
."Apparently minor" revision of SHA-0
.160-bit hash
.Broken Feb. 2005 by Xiaouyan Wang"

--

Micheal Patterson

More information about the Dshield mailing list