Re: Hashed PW's more secure than encrypted PW's?
From: Barry Margolin (barmar@genuity.net)Date: 06/14/02
- Next message: Bernd Eckenfels: "Re: NAT - Network Address Translation"
- Previous message: sakky: "Hashed PW's more secure than encrypted PW's?"
- In reply to: sakky: "Hashed PW's more secure than encrypted PW's?"
- Next in thread: sakky: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: sakky: "Re: Hashed PW's more secure than encrypted PW's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barry Margolin <barmar@genuity.net> Date: Fri, 14 Jun 2002 19:26:21 GMT
In article <ufrO8.34200$nZ3.6595@rwcrnsc53>,
sakky <sakhalinrf@hotmail.com> wrote:
>Can anybody explain how is it that hashing is more secure than encrypting?
>The books I've read have stated that the file with those encrypted passwords
>can be decrypted, and I can only assume this would be done via a brute-force
>attack to get the encryption key.
No brute-force would be necessary. It can't be a secret key, because it
has to be the same key all the time in order for password files to be
portable. So it would have to be part of the standard for passwd file
format, and hard-coded into the software used for encrypting passwords.
Asymmetric cryptography would solve this problem to some extent (the
encryption key would be well known, but the decryption key would never be
given out), but it hadn't been invented at the time that Unix password
hashing was developed. It would also allow the person who selected the
common encryption key to decrypt all passwd files in the world; that's
quite a bit of power to put in the hands of one person.
Furthermore, if you did manage to find the key through brute force, you
would only need to do it for one password. Once you accomplished that, you
would be able to decrypt every other password, since they're all encrypted
with the same key.
One-way hashing, on the other hand, solves the problems nicely. There's no
straightforward way to invert it, so the only way to discover the passwords
is by brute force. And each one is independent, so cracking one password
doesn't help you crack any others.
-- Barry Margolin, barmar@genuity.net Genuity, Woburn, MA *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups. Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
- Next message: Bernd Eckenfels: "Re: NAT - Network Address Translation"
- Previous message: sakky: "Hashed PW's more secure than encrypted PW's?"
- In reply to: sakky: "Hashed PW's more secure than encrypted PW's?"
- Next in thread: sakky: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: sakky: "Re: Hashed PW's more secure than encrypted PW's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
