From: tjb@acpub.duke.edu (Tom Bryce)
To: cypherpunks@toad.com
Message Hash: 978efc60d7b584ef388fb8f4c1217076fdfa963b15fdeff4562e275c2d53c4fd
Message ID: <v01510102ab3ba3ffa431@[152.3.113.8]>
Reply To: N/A
UTC Datetime: 1995-01-13 03:25:28 UTC
Raw Date: Thu, 12 Jan 95 19:25:28 PST
From: tjb@acpub.duke.edu (Tom Bryce)
Date: Thu, 12 Jan 95 19:25:28 PST
To: cypherpunks@toad.com
Subject: Re: RELEASE: Secure Edit beta 0.5
Message-ID: <v01510102ab3ba3ffa431@[152.3.113.8]>
MIME-Version: 1.0
Content-Type: text/plain
Ben Goren wrote:
>At 5:18 PM 1/12/95, Tom Bryce wrote:
>>[. . .]
>>* the salt is concatenated with MD5[passphrase] many times and this
>>concatenated string hashed to generate the 'session key' for the file
>>from your pass phrase. The number of times it is concatenated is
>>calibrated to make it take about half a second - not a big performance
>>loss, but it makes brute force attack of weak passphrases up to
>>thousands of times more costly.
>>[. . . .]
>
>This is only going to work if MD5 is not a "group"--that is, if there is no
>simple algorithm which is equivialent to md5(md5(x)). I doubt that's been
>proven.
This is not exactly what secure edit does. It hashes in the following
manner to generate a session key:
MD5 [ (128-bit salt) MD5[passphrase] 0 MD5[passphrase] 1 MD5[passphrase] 2 ... ]
to get the session key. The 0, 1, 2 is a single byte. So there is only one
level of nesting of the hashes. This is actually a common and well-regarded
technique for increasing the security of weak passphrases.
Tom
------------------------------------------------------------------------
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/~~\
| Tom Bryce |____|
___ | Duke Med | ___
{~._.~} | tjb@acpub.duke.edu | {~._.~)
( Y ) | PGP keys: finger tjbryce@amherst.edu | ( Y )
()~*~() |personal:9B6088464ED86413 0F5E55E45CF1C961| ()~*~()
(_)-(_) |miyako | (_)-(_)
|software:02646F0B06DCFE03 E6DD367DB4E1010F|
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ |
\_________________________________________\__/
Return to January 1995
Return to “tjb@acpub.duke.edu (Tom Bryce)”
1995-01-13 (Thu, 12 Jan 95 19:25:28 PST) - Re: RELEASE: Secure Edit beta 0.5 - tjb@acpub.duke.edu (Tom Bryce)