lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 7 Feb 2006 12:07:55 +0300
From: Solar Designer <solar@...nwall.com>
To: bugtraq@...urityfocus.com
Subject: crypt_blowfish 1.0


Hi,

This is to announce the first mature version of crypt_blowfish and the
minor security fix that this version adds.

crypt_blowfish is a public domain implementation of a modern password
hashing algorithm based on the Blowfish block cipher, provided via the
crypt(3) and a reentrant interface.  It is compatible with bcrypt
(version 2a) by Niels Provos and David Mazieres, as used in OpenBSD.
The homepage for crypt_blowfish is:

	http://www.openwall.com/crypt/

The most important property of bcrypt (and thus crypt_blowfish) is that
it is adaptable to future processor performance improvements, allowing
you to arbitrarily increase the processing cost of checking a password
while still maintaining compatibility with your older password hashes.
Already now bcrypt hashes you would use are several orders of magnitude
stronger than traditional Unix DES-based or FreeBSD-style MD5-based
hashes.

Besides providing a bcrypt implementation, the crypt_blowfish package
also includes a generic password hashing framework and hooks for
introducing this framework into the GNU C Library.  The provided
functions include crypt_gensalt*(), a family of functions for generating
"salts" for use with common Unix password hashing methods (that is, not
only with bcrypt).

Marko Kreen has discovered and reported a minor security bug in
crypt_blowfish 0.4.7 and below.  The bug affected the way salts for
BSDI-style extended DES-based and for FreeBSD-style MD5-based password
hashes were generated with the crypt_gensalt*() functions.  It would
result in a higher than expected number of matching salts with large
numbers of password hashes of the affected types.  crypt_gensalt*()'s
functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish
itself implements and for traditional DES-based crypt(3) hashes was not
affected.

Since bcrypt hashes were not affected, default installs of
Openwall GNU/*/Linux (Owl) were never affected either.  The specific
impact this could have on non-default installs of Owl is described in
the latest Owl-current change log entry for glibc:

	http://www.openwall.com/Owl/CHANGES-2.0.shtml

Since Owl 2.0 is scheduled to be released really soon and since the bug
is minor, we are not planning a similar glibc update for Owl 1.1-stable.
Instead, the 1.1-stable branch will be obsoleted by the new release.

For those curious about the nature of the bug, it was unintended sign
extension on a typecast.

As this crypt_blowfish bug is my own, and as I was well aware of this
pitfall and avoided it in other places, I am very embarrassed about
this.  I apologize to anyone who might be affected for the exposure and
inconvenience this causes.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments


Powered by blists - more mailing lists