[Dshield] Crypto Question

Frank Knobbe frank at knobbe.us
Wed Mar 4 03:31:28 GMT 2009


On Tue, 2009-03-03 at 20:10 -0500, Jon Kibler wrote:
> Is there a good crypto mailing list for "manager" level questions? The
> Security Focus crypto list appears to be dead. Where would be a more
> appropriate place to ask the follow question?

Jon,

Have you done a Google search? The Cyrography mail list at metzdowd.com
is the first on the page. A very good list with high caliber
subscribers.

> It all started with a clueless regulatory auditor finding that the
> client's Linux servers used MD5 password hashes. The auditor told the
> client that regulations prohibit the use of MD5 and that they had to use
> at least SHA-1 hashes.

I'm not sure what regulation you are referring to, but that argument
sound a bit suspicious.

Yes, MD5 has been broken such that you can calculate collisions
relatively easy and quickly. MD5 is certainly not recommended for
signing purposes. Anything with a known plain text, being it a file or
an SSL certificate, should not be signed with MD5.

But for passwords, MD5 is still usable. First off, you don't know the
plain text (that's what you want), so you have to start a brute-force
attack. Account lock-out settings will certainly prevent an extensive
brute force search. Second, assuming you have no lockout, then the
either the password or the collision is found to allow access. Big deal,
it still takes quite a bit of brute forcing to get those. I believe for
password hashing, MD5 is still acceptable.

> I explained to the client that SHA-1 was not an option. They could have
> DES, which was highly insecure, or they could have the Linux standard
> MD5, which was highly secure (assuming reasonable passwords), or they
> could have BlowFish, which would cost them a lot of money to implement
> and would give them a ridiculous degree of password security.

Why would Blowfish cost a lot to implement? Can Linux not be configured
(through auth.conf) to use Blowfish or SHA-1? I'm using Blowfish for my
passwords on BSD....

> They contacted the auditors, whose response was "MD5 cannot be used
> because MD5 is broken, and BlowFish is not a recognized standard so it
> cannot be used. Since DES is a standard and it is not broken that is
> what you must use."

Well, those auditors need to be fired. DES is an encryption algo, not a
hashing algo, though it can be used for that. So, collisions may not
apply. But DES is certainly as easy if not easier to brute-force than
MD5 (assuming Triple here).

>   Comment: The issue with MD5 was not with password hashing, rather it
> was with MACs, and the issue was essentially irrelevant for password
> hashing.

But you said about above "auditor finding that the client's Linux
servers used MD5 password hashes". Is it in relation to passwords or
not? For MACs I agree, I wouldn't use MD5.

>   Response: Any and all uses of MD5 are prohibited.
> 
>   Q: If MD5 is broken, why do you allow it for IPSec?
>   A: IPSec is not an MD5 algorithm.

Was that their answer? Wow... IPSec is not an algorithm??  lol

> Clearly, the auditors and/or regulators are clueless. If I can't win
> this war, how can I at least bring this to a reasonable conclusion where
> my customer has decent strength password hashing?

I don't think you can convince them one way or another. Sounds like they
got their heads so far up their.... I mean, in the sand, that any sane
argument you're going to bring forward won't make a difference.

I certainly would recommend to your client to hire different auditors.
Moneys talks.

> What would be a better list to ask this question on?

See above. The cryptography mail list at metzdowd.com. Send an email to
majordomo at metzdowd.com for commands.


Cheers,
Frank




More information about the Dshield mailing list