PHK's MD5 might not be slow enough anymore
Chris Palmer
chris at noncombatant.org
Thu Jan 28 18:24:06 UTC 2010
See your copy of /usr/src/lib/libcrypt/crypt-md5.c:
/*
* and now, just to make sure things don't run too fast
* On a 60 Mhz Pentium this takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
for(i = 0; i < 1000; i++) {
MD5Init(&ctx1);
if(i & 1)
MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
else
MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
if(i % 3)
MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
if(i % 7)
MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
if(i & 1)
MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
else
MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
MD5Final(final, &ctx1);
}
This algorithm is still the default on FreeBSD 8. (Blowfish is available --
but has it been tuned for slowness either? I have not checked.) The purpose
of these functions is to be slow, but the above has not been slow for years.
Hence this patch:
--- crypt.h.orig 2010-01-28 10:14:50.000000000 -0800
+++ crypt.h 2010-01-28 10:17:49.000000000 -0800
@@ -32,6 +32,9 @@
#define MD4_SIZE 16
#define MD5_SIZE 16
+/* As processors get faster, increase this. 1000 was good on a Pentium 60. */
+#define MD5_SLOW 100000
+
char *crypt_des(const char *pw, const char *salt);
char *crypt_md5(const char *pw, const char *salt);
char *crypt_nthash(const char *pw, const char *salt);
--- crypt-md5.c.orig 2010-01-28 10:18:03.000000000 -0800
+++ crypt-md5.c 2010-01-28 10:19:00.000000000 -0800
@@ -107,10 +107,10 @@
/*
* and now, just to make sure things don't run too fast
- * On a 60 Mhz Pentium this takes 34 msec, so you would
+ * On a 60 Mhz Pentium MD5_SLOW = 1000 takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
- for(i = 0; i < 1000; i++) {
+ for(i = 0; i < MD5_SLOW; i++) {
MD5Init(&ctx1);
if(i & 1)
MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
More information about the freebsd-security
mailing list