Author pronounces MD5 crypt dead

Powered by SC Magazine
 

Big sites should design their own algorithms.

A more resilient spin off of the MD5 algorithm has been deemed unsafe by its developer.

Poul-Henning Kamp designed the then resource-intensive MD5 crypt algorithm which would provide better cryptographic protection than MD5 and slow down dictionary attacks.

The scheme would produce a password hash by mixing together the user’s passphrase and salt to produce an MD5 digest. The three were melded together to produce a second digest which was after a (fixed) thousand function iterations rehashed with the passphrase and salt in a highly variable manner.

The MD5 algorithm was developed three years earlier in 1992 by cryptographer Ronald Rivest – and declared dead by some commentators from around 2005.

“The MD5 crypt password scrambler was … back then a sufficiently strong protection for passwords,” Kamp said.

“New research has shown that it can be run at a rate close to a million checks per second on [consumer] hardware which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995.

“As the author of MD5 crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.”

Kamp said he would not design a new password scrambler but offered some technical advise to those who would attempt it.

He lashed out at LinkedIn for using poorly-implemented cryptography, a fact that was this week laid bare when millions of passwords were exposed online.

Kamp quizzed Twitter followers asking “LinkedIn used unsalted passwords? Really? Do they also use punch cards?” 

The social networking site was thought to have used SHA-1 encryption.

Kamp said that “all major internet sites with more than 50.000 passwords should design or configure a unique algorithm (consisting of standard one-way hash functions like SHA-2) in order to make development of highly optimised password brute-force technologies a ‘per-site’ exercise for attackers.”

Copyright © SC Magazine, Australia


Author pronounces MD5 crypt dead
 
 
 
Top Stories
At the top of her game
A decision to bring digital operations back in-house three years ago has paid big dividends for Tabcorp.
 
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 990

Vote