Encryption No Longer Secure

Tuesday, June 12, 2012 @ 06:06 PM gHale


Hashing algorithm provider, md5crypt(), is no longer secure despite still being recommended as a password hashing function.

Poul-Henning Kamp implemented Ronald Rivest’s MD5 one-way hashing algorithm in his md5crypt() function that sees use on FreeBSD and Linux-based operating systems. Now Kamp said md5crypt() is no longer secure after he said people were still recommending it for production use.

RELATED STORIES
Azure Cloud Suffers Outage
FBI Pushes Cloud Security Rules
Wireless Security Lags Wired
User Alert: Brute Force Attacks on Rise

While Kamp introduced extra functionality in md5crypt() to mitigate brute-force attacks, processing power has increased to a point where Kamp said md5crypt() is too fast on commercially available hardware. “[The] only problem with md5crypt is speed: It’s too fast,” he said.

Kamp said it is no secret md5crypt() could no longer provide adequate protection, but since people were still recommending the use of md5crypt() in production environments he felt he had to urge people to stop using his creation.

While MD5 fell to brute force attacks back in 2005, Kamp included extra stages in md5crypt() such as salting to increase its computational complexity, and md5crypt() remained too processor intensive for brute force attacks for a while longer. However md5crypt() is over 20 years old and more computing power, especially with GPGPUs, means hackers can execute md5crypt() on every combination of 10 letters and numbers in a matter of hours.

All hashing algorithms eventually become susceptible to brute-force attacks due to advances in computational power.



Leave a Reply

You must be logged in to post a comment.