Re: Long passwords (fwd)

Jeffrey C. Ollie (jeff@ollie.clive.ia.us)
Wed, 27 Mar 1996 13:13:24 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: James M. Laszko: "RADIUS Server Problems (Unavail. Host?)"
Previous message: Christopher Oliver: "Re: Long passwords (fwd)"
Maybe in reply to: MegaZone: "Long passwords (fwd)"

In message <m0u1yc2-00018LC@fritz.co.traverse.com>, oliver@fritz.co.traverse.co
m writes:
>
> richard@hekkihek.hacom.nl (Richard Huveneers) writes:
> > Please consider this for a future revision of ComOS. The necessary changes
> > to the radius daemon are very basic (just XOR-ing the md5 digest multiple
> > times instead of once). I suspect the same to be true for ComOS.
>
> Hmmm. This is not sound cryptology. In essence, the MD5 digest is used
> as a pseudo one-time-pad though found by deterministic means. One of the
> basic principles of the OTP is that one NEVER reuses key material. Let's
> assume that the first sixteen characters of the password are compromised,
> then one can recover the MD5 mask by XOR; now the remainder of the password
> provides NO additional security whatsoever. For a longer password, I think
> you'd need either a longer digest or use of a stronger cipher in some chain-
> ing mode. Maybe a some feedback method with MD5 would work, but that would
> probably break existing implementations.

I've attached an excerpt from the latest RADIUS draft. The method
described does not break any existing client implementations that I am
aware of, or any server implementations if the password is kept to 16
characters. I've implemented this algorithm in a server that I am
developing and it seems to work although I have not had a chance to
test it with long passwords.

Here's the excerpt:

On transmission, the password is hidden. The password is first
padded at the end with nulls to a multiple of 16 octets. A one-way
MD5 hash is calculated over a stream of octets consisting of the
shared secret followed by the Request Authenticator. This value
is XORed with the first 16 octet segment of the password and
placed in the first 16 octets of the String field of the
User-Password Attribute.

[Draft Note - the following method is being proposed to extend
the length of the password from 16 octets up to 128, and may
change based on feedback and implementation experience.
Comments are invited.]

If the password is longer than 16 characters, a second one-way MD5
hash is calculated over a stream of octets consisting of the
shared secret followed by the result of the first xor. That hash
is xor'd with the second 16 octet segment of the password and
placed in the second 16 octets of the String field of the
User-Password Attribute.

If necessary, this operation is repeated, with each xor result
being used along with the shared secret to generate the next hash
to xor the next segment of the password, to no more than 128
characters.

The method is taken from the book "Network Security" by Kaufman,
Perlman and Speciner [4] pages 109-110. A more precise
explanation of the method follows:

Call the shared secret S and the pseudo-random 128-bit Request
Authenticator RA. Break the password into 16-octet chunks p1, p2,
etc. with the last one padded at the end with nulls to a 16-octet
boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need
intermediate values b1, b2, etc.

b1 = MD(S + RA) c(1) = p1 xor b1
b2 = MD(S + c(1)) c(2) = p2 xor b2
. .
. .
. .
bi = MD(S + c(i-1)) c(i) = pi xor bi

The String will contain c(1)+c(2)+...+c(i) where + denotes
concatenation.

On receipt, the process is reversed to yield the original
password.

You can find the latest RADIUS draft at <ftp://ftp.livingston.com/pub/radius/>.

-- 
Jeffrey C. Ollie
Iowa Network Services System Administrator

Next message: James M. Laszko: "RADIUS Server Problems (Unavail. Host?)"
Previous message: Christopher Oliver: "Re: Long passwords (fwd)"
Maybe in reply to: MegaZone: "Long passwords (fwd)"