From owner-freebsd-security Mon Feb 17 13:42:24 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA17319 for security-outgoing; Mon, 17 Feb 1997 13:42:24 -0800 (PST) Received: from fusion.gage.com (brimstone.gage.com [205.217.2.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA17312 for ; Mon, 17 Feb 1997 13:42:19 -0800 (PST) Received: (from mail@localhost) by fusion.gage.com (8.8.3/8.8.4) id PAA14403; Mon, 17 Feb 1997 15:42:13 -0600 (CST) Received: from octopus.gage.com(158.60.57.50) by fusion.gage.com via smap (V2.0beta) id xma014396; Mon, 17 Feb 97 15:41:59 -0600 Received: from squid.gage.com (squid [158.60.57.101]) by octopus.gage.com (8.7.5/8.7.3) with SMTP id PAA02035; Mon, 17 Feb 1997 15:41:59 -0600 (CST) Received: from schemer by squid.gage.com (NX5.67e/NX3.0S) id AA07110; Mon, 17 Feb 97 15:41:58 -0600 Message-Id: <9702172141.AA07110@squid.gage.com> Received: by schemer.gage.com (NX5.67g/NX3.0X) id AA03376; Mon, 17 Feb 97 15:41:58 -0600 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 4.0 v146.2) In-Reply-To: <199702172104.NAA14500@saguaro.flyingfox.com> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.3) Received: by NeXT.Mailer (1.146.2) From: Ben Black Date: Mon, 17 Feb 97 15:41:56 -0600 To: Jim Shankland Subject: Re: blowfish passwords in FreeBSD Cc: security@freebsd.org References: <199702172104.NAA14500@saguaro.flyingfox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >It is, of course, always possible to guess the right password the >very first time, thereby cracking the account in well under a second. or guessing it in the first few million tries, thereby cracking the account in 3 hours. >This will work even on an old 386 box lying around your lab, and >does not require a card with ASICs. All you need is very good luck :-). >Whether this says anything meaningful about the cryptographic >strength of DES is debatable. the cryptographic strength of DES is already debatable. the differential cryptanalysis of DES by shamir was met by certain folks involved in the creation of the lucifer and DES ciphers with the statement that they knew about differential cryptanalysis of DES 20 years ago. i am also of the mind that NSA doesn't allow the export of any encryption it can't break. b3n