RE: SHA-1 vs. triple-DES for password encryption?

From: Oscar Batyrbaev (batyr@ix.netcom.com)
Date: 11/10/02 

From: "Oscar Batyrbaev" <batyr@ix.netcom.com>
To: <CraigSecurity@blazemail.com>, <secprog@securityfocus.com>
Date: Sun, 10 Nov 2002 08:46:51 -0800

Craig, cc List:

Just a few short answers/suggestions:
1. truncating to 8 bytes will increase the hazard from the "birthday" paradox;
Thus The risk is not 2^64 as was suggested earlier but about 2^32 that the
birthday attack succeeds with probability 0.5 or 50%. The risk is too high even
when you deal with passwords.

2. Why not use MD5? It is significantly faster (about 5 times) than SHA-1 and the
"attacks" on it are very highly theoretical and basically of no practical
significance (yet). Cryptographers call an attack something that would work on say
2 rounds of MD5 or its compress function or if they swamp the magic constants of
the IV, etc. There is no full pre-image or 2nd pre-image or collision attack on
full MD5. We work with these type of research every day.
That way you also just have to store one hashed password like two: - 16 bytes;
saves you 4 bytes :). Also Rivest designed MD5 to be significantly more secure
than its precursor MD4. Under the hood, SHA-1 is actually from the same family of
the hash algorithms as MD5 and MD4.
It is often the folk who get on a soapbox without full understanding of what
theoretical cryptographers call an "attack" create FUD on this issue. Or some
researches who have vested interest in promoting their own hash algorithms (non
MDx/SHAx family).

IMHO, Risks with MD5 (especially since you are not dealing with an appendix to a
digital signature that needs to be stored for a very long time but with passwords
that (supposed) to be changed and suffer from dictionary attacks to begin with)
are acceptable and manageable from the description of the problem.

Please feel free to comment.
Regards,

Oscar Batyrbaev
CTO B3 Security Corporation
Tel. (408) 615-7433
Fax: (603) 649-6498
email: batyr@ix.netcom.com
email 2: oscar@b3security.com
1200 Ranchero Way, Suite 18, San Jose, CA, 95117

B3 Security Corporation Confidential

> -----Original Message-----
> From: Craig Minton [mailto:CraigSecurity@blazemail.com]
> Sent: Tuesday, November 05, 2002 1:01 PM
> To: secprog@securityfocus.com
> Subject: SHA-1 vs. triple-DES for password encryption?
>
>
> We are considering changing our password storage from a home-grown
> algorithm to a standard. We are mainframe based and only have
> triple-DES and SHA-1 algorithms available. However, we many questions
> about the best way to proceed. We are leaning towards using SHA-1 for
> a few of reasons. The password being "encrypted" using SHA-1 never
> need be retrieved, just verified. Indeed, the password should not be
> retrievable. By not using triple-DES there is no need to secure a key
> used to encrypt them. Also, with triple-DES, if someone was to obtain
> the key, by whatever means, retrieving all of the passwords would be
> trivial. The downside to SHA-1 is that we would have to increase our
> storage requirements for the encrypted portion from 8 bytes to 20 bytes.
>
> Is there anything inherently wrong with using SHA-1 to hash passwords
> for verification?
>
> Is there a benefit to using triple-DES instead?
>
> Is SHA-1 any more suseptible to attack, brute-force or cr
> ypto-analytic, than triple-DES? My 2nd edition copy of Applied
> Cryptography states that there is no known crypto-analytic attack known
> for SHA-1, but that book is now several years old.
>
> It was suggested to use SHA-1 and then remove all of the bytes from the
> hash except for 8 bytes (truncated from the beginning, end ,or
> somewhere in between) and store this, thus not increasing storage
> requirements. Would this compromise the algorithm? How much would it
> increase the chance that two passwords then had the same truncated hash?
>
> I look forward to any insights you can provide and will be glad to
> answer additional questions where possible.
>
> Craig
>
> _____________________________________________________________
> Fight the power! BlazeMail.com
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you@yourchoice.com
> w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag

Relevant Pages

  • Re: SHA-1 vs. triple-DES for password encryption?
    ... > triple-DES and SHA-1 algorithms available. ... > using SHA-1 never need be retrieved, ... > of the passwords would be trivial. ... In general you should not use reversible crypto for password storage, ...
    (SecProg)
  • Re: Netowrk Admin. Breach
    ... attack, but at the time it was a little beyond me. ... But my approach to network security is similar to his.....I look at ... no business knowing any of your sensitive passwords. ... demonstrated that using an account with no privs. ...
    (microsoft.public.windows.server.security)
  • Re: web browser security/hardening
    ... Never reuse any usernames, emails, or passwords ... cross site scripting is something the web sites you visit ... yourself...although disabling scripting anyway can thwart those attack ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: confusion in ank.
    ... Because of how salt strings are factored into the key generation ... process, a dictionary attack based on ... passwords is going to have to incorporate specific salt strings -- ... were encrypted in a user's key or a randomized service key. ...
    (comp.protocols.kerberos)
  • RE: sha-1 cryptography
    ... MD5 and SHA-1 are not used to ensure Confidentiality, ... the confidentiality of passwords or credit card numbers or the ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
Quantcast