On Thu, 11 Oct 2007, james hughes wrote: > I forgot to add the links... > http://people.redhat.com/drepper/sha-crypt.html > http://people.redhat.com/drepper/SHA-crypt.txt > > On Oct 11, 2007, at 10:19 PM, james hughes wrote: > > > A proposal for a new password hashing based on SHA-256 or SHA-512 has been > > proposed by RedHat but to my knowledge has not had any rigorous analysis. > > The motivation for this is to replace MD-5 based password hashing at banks > > where MD-5 is on the list of "do not use" algorithms. I would prefer not to > > have the discussion "MD-5 is good enough for this algorithm" since it is not > > an argument that the customers requesting these changes are going to accept.
Some comments: * Use of an off-the-shelf algorithm like SHA1 might be nice for "tick here for FIPS certification", but they render the hashing scheme more vulnerable to dictionary attacks assisted by (near-)commodity hardware. Contrast with OpenBSD's blowfish scheme, which is deliberately designed to not be implementable using off-the-shelf crypto accelerator chips. * Hideously obfuscated and overcomplicated. Comments like those on step 11 of the algorithm (some mumbo jumbo about a completely deterministic step "adding randomness") and the absence of any rationale for the complexity seem to indicate that they believe a complicated design will somehow thwart attacks by itself. * Why specify the number of rounds directly? Most password and KDF schemes use an exponential scheme to match Moore's law. -d --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
