[Dshield] Crypto Question

Frank Knobbe frank at knobbe.us
Wed Mar 4 14:59:45 GMT 2009


On Wed, 2009-03-04 at 08:45 +0100, Stephane Grobety wrote:
> FK> But for passwords, MD5 is still usable. First off, you don't know the
> FK> plain text (that's what you want),
> 
> No, that's not what you want. What you want is an input to the
> password prompt that will generate the same password hash and that's
> called a collision.

Yup, good catch. The plain text, or any or its collisions that generates
the same hash.

> FK> so you have to start a brute-force
> FK> attack.
> 
> No you don't. This attack is an off-line attack against the password
> hash file, no an on-line attack against the prompt.

Of course you do! You don't reverse the password hash. You have to
calculate inputs and see if they match (or check the hash against a
pre-computed hash table), but you still have the search the whole key
space.

But you're right. My argument about account lock-out is void when
considering an offline attack. Of course, if the hashes are available,
I'd consider the system already compromised.

> FK> I believe for
> FK> password hashing, MD5 is still acceptable.
> 
> I believe you're wrong for the reason listed above. Or at least, the
> level of security MD5-hashed passwords provide against an off-line
> attack is severely lowered.

But other hashing algos aren't any better consider offline attacks
against (unsalted) hashes. You can precompute your SHA-1 of BF hashes
(unsalted), and find those passwords just as easily.


The issue here was the "broken" algorithm though, not how well hashes
stand up to offline attacks. By broken meaning it's been demonstrated to
calculate collisions in a reasonable amount of time. They may save you a
bit of time if you come across the collisions first instead of the real
password during an offline attack, but again you'll find the password
eventually.

The bigger risk with MD5 is to covertly sneak in changes in plaintext
and have them still be valid with the same signature. That's the real
problem with MD5, not how much faster you can find a password in an
offline attack against a password database.


Cheers,
Frank




More information about the Dshield mailing list