1997-01-06 - Double crypt strength

Header Data

From: Rick Osborne <osborne@gateway.grumman.com>
To: cypherpunks mailing list <cypherpunks@toad.com>
Message Hash: 2be492eefb3a2064d783cef99d0cac4450e00acc0f6135907135944966fe9d09
Message ID: <3.0.32.19970106102811.009d3af0@gateway.grumman.com>
Reply To: N/A
UTC Datetime: 1997-01-06 15:29:14 UTC
Raw Date: Mon, 6 Jan 1997 07:29:14 -0800 (PST)

Raw message

From: Rick Osborne <osborne@gateway.grumman.com>
Date: Mon, 6 Jan 1997 07:29:14 -0800 (PST)
To: cypherpunks mailing list <cypherpunks@toad.com>
Subject: Double crypt strength
Message-ID: <3.0.32.19970106102811.009d3af0@gateway.grumman.com>
MIME-Version: 1.0
Content-Type: text/plain


I am curious as to the strength of Un*x crypt when used upon itself.  I was
thinking of was to obfuscate passwords and a few came to mind (obviously
not original):
1. Use a hashed passphrase.
2. Encrypt your original password and then used that as your password.  (Or
triple, quadruple, ad inifinitum...)

Re #1: I know that a good hash will take a pass phrase and reduce it to a
statistically random sequence.  I'm not intending to use the hash for
verfication, but for two reasons:
1. Get a nice random jumble
2. Come out with something shorter than I came in with.

Re #2: This I thought might help spoil a dictionary attack.  Granted, if
the attacker knows that you are doing this, it only adds one step in his
process, but if he doesn't it turns his attack into plain brute force.
Plus, for Un*x users, it's right there on the command line and only adds a
few seconds to the entire procees of changing passwords.

The added benefit with both of these is that the user does not have to
remember some cryptic string, but can remember his normal password/phrase.
By this, it is obviously not a commercial-use scheme, but one for
individual users.  (If everyone used the same algorithm, it'd be kinda
pointless, right?)  So with everyone (hashing down/reencrypting) their
(passphrases/passwords) with different algorithms, all attacks are reduced
to brute force.  Either that, or the attacker has to figure out what
algorithm the user used, still making a dictionary attack that much harder.

So what are the comments on a system like this?  Obviously, they are not
original ideas, but I would like to know what has been said about them.


Rick Osborne / osborne@gateway.grumman.com / Northrop Grumman Corporation
-------------------------------------------------------------------------
What the hell, it's only 4 month's grant - I can live in a cardboard box,
and catch pigeons for food. After all, I've got raytracing to do!






Thread