[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [patches] crypt_blowfish patch for eglibc
- To: "Joseph S. Myers" <joseph@xxxxxxxxxxxxxxxx>
- Subject: Re: [patches] crypt_blowfish patch for eglibc
- From: Paul DeBruicker <pdebruic@xxxxxxxxx>
- Date: Fri, 29 Apr 2011 21:04:19 -0400
Thanks for the reply. Since I wrote the earlier email I learned about
libxcrypt which I think may address my needs for having a portable C
implementation of the bcrypt password hashing scheme in Linux. I do
respond to your questions/concerns below.
I am a Smalltalk programmer and do not know much about C or its
libraries. I am happy to have any suggestions or changes or
improvements made.
On 04/29/2011 07:13 PM, Joseph S. Myers wrote:
On Fri, 29 Apr 2011, Paul DeBruicker wrote:
*** ../eglibc-2.12.1/Versions.def 2010-01-26 06:27:38.000000000 -0500
--- Versions.def 2011-04-28 11:26:15.614637002 -0400
***************
*** 39,44 ****
--- 39,46 ----
}
libcrypt {
GLIBC_2.0
+ GLIBC_2.2.1
+ GLIBC_2.2.2
}
You can't add symbol versions to existing libraries like that. If you
need a new symbol version for something in EGLIBC (or generally if you
wish to export an EGLIBC-specific symbol), it needs to be in an option
group that is disabled by default and the symbol version needs to be in
the form EGLIBC_* with a name reflecting the option group involved.
OK. I do not know the reasoning behind the change to the Versions.def
file or whether it is necessary or not. It was in the diff I linked to
in my previous email so I left it in when updating the diff to "work"
with eglibc 2.12.1 and crypt_blowfish.
Could you please explain (with appropriate references) what advantages
this algorithm has over the SHA-256 and SHA-512 based algorithms added in
glibc 2.7? In the absence of clear cryptographic justification, adding
the choice of more algorithms isn't generally a good idea, because of the
risk of vulnerabilities in the new algorithms or in the way selection is
made between the algorithms. Is this about compatibility with existing
passwords hashed using the blowfish scheme? Controlling the set of
supported algorithms with option groups does seem to make sense, if not
already implemented.
The paper written by the algorithm's authors [1] describes the reasoning
more fully but the gist of it is this. In bcrypt the key set up phase
has a configurable number of rounds of encryption. As computers get
faster this number of rounds can be increased to make brute-force &
rainbow table attacks increasingly costly. Instead of developing,
proving, and adding e.g. SHA-1024 in the future you can just increase
the work factor of this algorithm. It is designed to be slow and to
obscure plain-text passwords. Not be a general purpose hashing
algorithm like SHA-256 and SHA-512. The site and paper in [2] has some
data about how slow it is relative to other schemes. The first answer
to this Stack Overflow thread also provides a good overview of the
differences between SHA-512 and bcrypt [3].
This is not about compatibility with existing passwords hashed using
this scheme. That may be an ancillary benefit or cost. I don't know.
I personally wanted it available in libc because my Smalltalk
implementation is too slow to make use of the algorithm in a reasonable
amount of time. I'm probably doing-it-wrong. But I also think it
should be in libc because, as shown in the links on [2] there are
currently Python, Ruby, PHP, LISP, and Erlang libraries that have each
adapted C code and made interfaces to either the openwall.com or openbsd
[4] C versions. It is also mentioned in the crypt(3) manpage, but is
not a standard feature in Linux currently. I think its only in Suse and
Owl linux. Suse has a crypt_blowfish diff against libc in their glibc
source rpm [5]. By my count that's at least 7 C implementations for
linux with different interfaces (Ruby, Erlang, Lisp, Python,
openwall.com, suse, libxcrypt)
Arguing against my position is [6] and [7]. And I am not storing
sensitive data that is under threat so could certainly use one of the
already implemented hashing methods or interface to an existing
implementation.
Really at this point in time I think using the libxcrypt library will be
just fine for my needs, but wanted to get you this information in the
event you had other ideas.
Thanks again
Paul DeBruicker
[1] http://www.usenix.org/events/usenix99/provos.html
[2] http://codahale.com/how-to-safely-store-a-password/
http://www.usenix.org/publications/login/2004-06/pdfs/alexander.pdf
[3] http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt
[4] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/
[5]
https://build.opensuse.org/package/view_file?file=crypt_blowfish-1.0-suse.diff&package=glibc&project=openSUSE%3A11.4
[6] http://www.akkadia.org/drepper/sha-crypt.html
[7] https://bugzilla.redhat.com/show_bug.cgi?id=173002