Re: [chrony-dev] Support for another crypto hash?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On 07/11/2011 12:57, Miroslav Lichvar wrote:
> On Sat, Nov 05, 2011 at 04:39:10PM +0000, Ed W wrote:
>> Hi
>>
>>
>>> I couldn't find a specification for the extended format.
>> I think it's RFC2307.  However, I am slightly confused on where it's
>> implemented.  I think glibc only handles the old funny $a2... encodings,
>> however, the format I referred to is widely used elsewhere and
>> integrated into many other applications:
> Thanks. In our case we store the passwords instead of hashes, so we want
> to be able to store also the {} chars. Do you think it's a bad idea to
> just require that all keys with specified hash are in hex? This could
> also make the users set randomly generated passwords and thus avoid
> the problem with dictionary attacks.
>

*IF* the attacker has access to the hashes, then unfortunately
bruteforce attacks are now reasonably feasible against even decent
length passwords that are typable on a normal keyboard.  That was my
point about using a "slower" hash.  It's only a linear improvement in
security, but it probably makes attacks significantly more tricky

See my previous post about how we can now do perhaps several hundred
million hashes per second on generic hardware. A change in hash can make
this 1-10 hashes per second on hardware that most people have access
to.  If you only store the hash then this is a big improvement in security

However, you state that you want to store the password?  If so then you
can get security on the wire by not passing the real password across the
wire.  Is this the use case we are talking about?

Sorry, bit confused about where we need a password and where a hash

Point anyway is that if the hash is leaked then bruteforcing is
extremely feasible unless a "slow" hash is used.  I think that
summarises my side of the topic!

GOod luck

Ed W

---
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/