From: Mike Ingle <MIKEINGLE@delphi.com>
Date: Tue, 5 Jul 94 23:11:53 PDT
To: cypherpunks@toad.com
Subject: Secure Drive insecure? NOT
Message-ID: <01HEDB6B0KIQ8Y70EA@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


bryner@atlas.chem.utah.edu "Roger Bryner" wrote:  

>Again, the only way that MD5 can keep the entropy of a string is for 
>every single 128 bit string to map itself onto a unique 128 bit string, 
>for if two 128 bit strings produce the same output, then you loose entropy.
>
>The question is, when md5 is restricted to 128 bit values, does it loose 
>entropy, and if so how much?  As much as a random mapping?  if so, the 
>1024 bit itteration in secure drive HARMS security.

BZZZT! Read the code...

MD5Init(&md5buf);
MD5Update(&md5buf,pass1,strlen(pass1));
MD5Final(key,&md5buf);

for(k=0;k<PASS_ITER;k++) {
  MD5Init(&md5buf);
  MD5Update(&md5buf,key,16);                           | Hmmm?!?
  MD5Update(&md5buf,pass1,strlen(pass1));   <----------| I wonder what
  MD5Final(key,&md5buf);                               | that line does?
  }

Notice that the passphrase is included in each of the hashings.
How can MD5(passphrase+16-byte hash) have lower entropy than
MD5(passphrase)? The iteration just makes it slower to crack pass-
phrases. Version 1.0, which used a single MD5, could be attacked
at the rate of 1000 per second on a PC.

--- Mike

1994: Wiretapping is privacy
      Secrecy is openness
      Obscurity is security