Author pronounces MD5 crypt dead

Powered by SC Magazine
 

Big sites should design their own algorithms.

A more resilient spin off of the MD5 algorithm has been deemed unsafe by its developer.

Poul-Henning Kamp designed the then resource-intensive MD5 crypt algorithm which would provide better cryptographic protection than MD5 and slow down dictionary attacks.

The scheme would produce a password hash by mixing together the user’s passphrase and salt to produce an MD5 digest. The three were melded together to produce a second digest which was after a (fixed) thousand function iterations rehashed with the passphrase and salt in a highly variable manner.

The MD5 algorithm was developed three years earlier in 1992 by cryptographer Ronald Rivest – and declared dead by some commentators from around 2005.

“The MD5 crypt password scrambler was … back then a sufficiently strong protection for passwords,” Kamp said.

“New research has shown that it can be run at a rate close to a million checks per second on [consumer] hardware which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995.

“As the author of MD5 crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.”

Kamp said he would not design a new password scrambler but offered some technical advise to those who would attempt it.

He lashed out at LinkedIn for using poorly-implemented cryptography, a fact that was this week laid bare when millions of passwords were exposed online.

Kamp quizzed Twitter followers asking “LinkedIn used unsalted passwords? Really? Do they also use punch cards?” 

The social networking site was thought to have used SHA-1 encryption.

Kamp said that “all major internet sites with more than 50.000 passwords should design or configure a unique algorithm (consisting of standard one-way hash functions like SHA-2) in order to make development of highly optimised password brute-force technologies a ‘per-site’ exercise for attackers.”

Copyright © SC Magazine, Australia


Author pronounces MD5 crypt dead
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 432

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 208

Vote