[2707] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Brian Tao)
Mon Jun 10 02:01:20 1996
Date: Mon, 10 Jun 1996 00:08:31 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Brian Tao <taob@io.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606091803.OAA23755@Collatz.McRCIM.McGill.EDU>
On Sun, 9 Jun 1996, der Mouse wrote:
>
> I don't know what code FreeBSD is using, but I don't see a round count
> in the above hashed password.
I believe it goes through 1000 rounds:
/*
* and now, just to make sure things don't run too fast
* On a 60 Mhz Pentium this takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
for(i=0;i<1000;i++) {
MD5Init(&ctx1);
if(i & 1)
MD5Update(&ctx1,pw,strlen(pw));
else
MD5Update(&ctx1,final,16);
if(i % 3)
MD5Update(&ctx1,sp,sl);
if(i % 7)
MD5Update(&ctx1,pw,strlen(pw));
if(i & 1)
MD5Update(&ctx1,final,16);
else
MD5Update(&ctx1,pw,strlen(pw));
MD5Final(final,&ctx1);
}
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
