compare-by-hash (was Re: sharing /etc/passwd)
David Schultz
das at FreeBSD.ORG
Tue Sep 28 09:14:02 PDT 2004
On Mon, Sep 27, 2004, Colin Percival wrote:
> If an appropriately strong hash is used (eg, SHA1), then the probability
> of obtaining an incorrect /etc/*pwd.db with a correct hash is much
> smaller than the probability of a random incorrect password being
> accepted. Remember, passwords are stored by their MD5 hashes, so a
> random password has a 2^(-128) chance of working.
>
> If, on the other hand, you're concerned about accidentally locking
> yourself out of the server as a result of an undetected mangling of the
> password database... you should be more worried about the server, and
> all your backups, being simultaneously hit by lightning. :-)
One thing to keep in mind is that the collision-resistance of SHA-1
is an unproven conjecture. Back in the dark ages of cryptography,
Rivest conjectured that MD4 and MD5 were also collision-resistant,
and this turned out not to be true. In fact, recent results have
raised some concerns about SHA-1 (http://eprint.iacr.org/2004/146/).
There's some speculation that SHA-1 is broken in the sense that you
are likely to find a collision after computing far fewer than 2^80
hashes; however, people still seem to consider it good enough for
SSL/TLS and numerous other protocols. If they're wrong, of course,
I think people will be much more concerned about digital signatures
than rsync.
More information about the freebsd-security
mailing list