[Dshield] Crypto Question

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Mar 6 19:11:31 GMT 2009


On Thu, 05 Mar 2009 20:03:40 EST, Jon Kibler said:

> Can someone please explain how MD5 is more than a trivial risk for
> password hashes? I would have to think that the risk from lame user
> password choices, choices that increased susceptibility to dictionary or
> pattern attacks, would be a far greater risk.

At the current time, it's not, actually.  Lame users are a *much* bigger
danger.

What *IS* known is how to generate two bitstreams that have the same MD5 hash,
except you don't have any real control over what the two bitstreams end up
being, or what the hash is - just that you get two different ones, each with a
different pile of pseudo-random bits someplace.  This is very handy if you can
get somebody to accept *one* of the bitstreams (for a certificate or similar) -
then you can substitute the other bitstream and they can't detect the swap.

What is *NOT* known (currently) is how to generate a bitstream that has a
*given* MD5 hash - which is what's needed for breaking a password hash.  And
yes, there's a *very* high probability that you'd get non-ASCII chars in a
collided password (in fact, for even an 8-char password, there is only a 0.03%
chance that it would be 8 ascii chars (it's (96/256)**8 if you're curious).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20090306/8a9be32f/attachment.bin 


More information about the Dshield mailing list