[news.sysadmin] Improving crypt

rang@cpsin3.cps.msu.edu (Anton Rang) (11/10/88)

I noticed the suggestion a while ago that crypt() should make more
passes of DES encryption than it currently does.  It seems to me that
there is a point where nothing is gained: going from a 64-bit password
to an 88-bit encrypted form, is any more security gained by going over
the process again and again?
  Am I missing something here?  Why couldn't, say, 1000 passes of DES
just be translated into one pass of some other algorithm?  Or is the
point just that it's slower when doing the regular algorithm?

+---------------------------+------------------------+----------------------+
| Anton Rang (grad student) | "UNIX: Just Say No!"   | "Do worry...be SAD!" |
| Michigan State University | rang@cpswh.cps.msu.edu |                      |
+---------------------------+------------------------+----------------------+

dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (11/11/88)

In article <1038@cps3xx.UUCP> rang@cpswh.cps.msu.edu (Anton Rang) writes:
>I noticed the suggestion a while ago that crypt() should make more
>passes of DES encryption than it currently does.  It seems to me that
>there is a point where nothing is gained: going from a 64-bit password
>to an 88-bit encrypted form, is any more security gained by going over
>the process again and again?
>  Am I missing something here?  Why couldn't, say, 1000 passes of DES
>just be translated into one pass of some other algorithm?  Or is the
>point just that it's slower when doing the regular algorithm?
>
I suggest you get a copy of the following and read it:

    %T Password Security:  A Case History 
    %A Robert Morris 
    %A Ken Thompson  
    %J Communications of the ACM 
    %D Nov. 1979 
    %V 22
    %N 11 
    %P 594-597  
    %X The same paper also  appeared  as  one  of  the  auxiliary
    documents  distributed with Version 7 UNIX, and redistributed
    by Berkeley with their systems.  Folks interested in cracking
    the UNIX password scheme should read this.  Those who haven't
    yet read this paper may be surprised to learn  that  matching
    the password file against the dictionary isn't a new idea; it
    had appeared previously in  what  is  quaintly  called  ``the
    literature''.

The reason for the many passes for re-encryption is to take time.
There  is  no such thing as a secure encryption system.  Only one
that is prohibitively expensive to crack. [ Aside  -  for  enough
money one can bribe the proper people. ] Crypto systems are rated
in work factors -- how long will it take X to break  it  using  Y
technology. [for X use method and Y use technology => e.g Cray II
].

Thus the intent was to slow down the encryption so that a machine
trying to guess passwords would take Z seconds per password.  But
clever people can analyze the algorithm and pre-compute a lot  of
the  calculations  and  reduce  the  time.  Hence  the difference
between a machine built for cracking a password and a worm trying
adhoc methods.
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm@arpa.att.com