rang@cpsin3.cps.msu.edu (Anton Rang) (11/10/88)
I noticed the suggestion a while ago that crypt() should make more passes of DES encryption than it currently does. It seems to me that there is a point where nothing is gained: going from a 64-bit password to an 88-bit encrypted form, is any more security gained by going over the process again and again? Am I missing something here? Why couldn't, say, 1000 passes of DES just be translated into one pass of some other algorithm? Or is the point just that it's slower when doing the regular algorithm? +---------------------------+------------------------+----------------------+ | Anton Rang (grad student) | "UNIX: Just Say No!" | "Do worry...be SAD!" | | Michigan State University | rang@cpswh.cps.msu.edu | | +---------------------------+------------------------+----------------------+
dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (11/11/88)
In article <1038@cps3xx.UUCP> rang@cpswh.cps.msu.edu (Anton Rang) writes: >I noticed the suggestion a while ago that crypt() should make more >passes of DES encryption than it currently does. It seems to me that >there is a point where nothing is gained: going from a 64-bit password >to an 88-bit encrypted form, is any more security gained by going over >the process again and again? > Am I missing something here? Why couldn't, say, 1000 passes of DES >just be translated into one pass of some other algorithm? Or is the >point just that it's slower when doing the regular algorithm? > I suggest you get a copy of the following and read it: %T Password Security: A Case History %A Robert Morris %A Ken Thompson %J Communications of the ACM %D Nov. 1979 %V 22 %N 11 %P 594-597 %X The same paper also appeared as one of the auxiliary documents distributed with Version 7 UNIX, and redistributed by Berkeley with their systems. Folks interested in cracking the UNIX password scheme should read this. Those who haven't yet read this paper may be surprised to learn that matching the password file against the dictionary isn't a new idea; it had appeared previously in what is quaintly called ``the literature''. The reason for the many passes for re-encryption is to take time. There is no such thing as a secure encryption system. Only one that is prohibitively expensive to crack. [ Aside - for enough money one can bribe the proper people. ] Crypto systems are rated in work factors -- how long will it take X to break it using Y technology. [for X use method and Y use technology => e.g Cray II ]. Thus the intent was to slow down the encryption so that a machine trying to guess passwords would take Z seconds per password. But clever people can analyze the algorithm and pre-compute a lot of the calculations and reduce the time. Hence the difference between a machine built for cracking a password and a worm trying adhoc methods. -- =Dennis L. Mumaugh Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm@arpa.att.com