## Proofs of security for the Unix password hashing algorithm (2000)

Venue: | Proceedings of Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture |

Citations: | 10 - 0 self |

### BibTeX

@INPROCEEDINGS{Wagner00proofsof,

author = {David Wagner and Ian Goldberg},

title = {Proofs of security for the Unix password hashing algorithm},

booktitle = {Proceedings of Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture},

year = {2000},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the Unix construction. 1 Introduction This paper examines the security of the Unix password hashing algorithm, the core of the Unix password authentication protocol [14]. Although the algorithm has been conjectured cryptographically secure, after two decades and deployment in millions of systems worldwide it still has not been proven to resist attack. In this paper, we provide the rst practical proof of security (under some reasonable cryptographic assumptions) for the Unix algorithm. The hashing algorithm is a fairly simple application of DES, perhaps the bestknown block cipher available to the public. Since DES has seen many man-years of analysis, in an ideal world we might hope for a pr...

### Citations

726 | A pseudorandom generator from any one-way function
- H˚astad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ison to entropy smoothing. Another alternative approach to dealing with patterned passwords is to smooth out the non-uniformity in the distribution. A well-known result called the leftover hash lemma =-=[8, 10]-=- shows that universal hash functions are good at entropy smoothing: if h is selected uniformly at random from a family of universal hash functions with m-bit outputs, and if k is drawn from a distribu... |

209 | Password Security: A Case History
- Morris, Thompson
- 1979
(Show Context)
Citation Context ...ovide good reason for condence in the Unix construction. 1 Introduction This paper examines the security of the Unix password hashing algorithm, the core of the Unix password authentication protocol [=-=14]-=-. Although the algorithm has been conjectured cryptographically secure, after two decades and deployment in millions of systems worldwide it still has not been proven to resist attack. In this paper, ... |

193 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...e two fundamental observations. Relevance of the CBC-MAC. First, we show that the Unix password hashing algorithm is just a special case of the more general and better-studied DES-CBCMAC construction =-=[1]-=-. Consequently, we can take advantage of well-known results on the security of DES-CBC-MAC. Let f-CBC-MAC(x) denote the CBC-MAC of the message x under the function f . Recall that the f-CBC-MAC of a n... |

141 | Foundations of Cryptography (Fragments of a book)", Weizmann Inst - Goldreich - 1995 |

130 | foiling the cracker”: A survey of, and improvements to, password security
- Klein
- 1990
(Show Context)
Citation Context ...rds often do not contain enough entropy to resist 1 We assume the adversary exploits the DES complementation property, and thus e = t=2 55 , not t=2 56 as one might naively expect. dictionary attacks =-=[3, 5, 9, 11, 15]-=-, that the 56-bit keysize of DES is too short to resist exhaustive keysearch attacks [4], and that cleartext passwords are inappropriate for use in a networked environment. However, our results show t... |

57 | A real-world analysis of Kerberos password security
- Wu
- 1999
(Show Context)
Citation Context ...rds often do not contain enough entropy to resist 1 We assume the adversary exploits the DES complementation property, and thus e = t=2 55 , not t=2 56 as one might naively expect. dictionary attacks =-=[3, 5, 9, 11, 15]-=-, that the 56-bit keysize of DES is too short to resist exhaustive keysearch attacks [4], and that cleartext passwords are inappropriate for use in a networked environment. However, our results show t... |

33 | Improving System Security via Proactive Password Checking
- Bishop, Klein
- 1995
(Show Context)
Citation Context ...rds often do not contain enough entropy to resist 1 We assume the adversary exploits the DES complementation property, and thus e = t=2 55 , not t=2 56 as one might naively expect. dictionary attacks =-=[3, 5, 9, 11, 15]-=-, that the 56-bit keysize of DES is too short to resist exhaustive keysearch attacks [4], and that cleartext passwords are inappropriate for use in a networked environment. However, our results show t... |

19 |
UNIX password security—ten years later (invited
- Feldmeier, Karn
- 1989
(Show Context)
Citation Context |

16 | Keying Hash Functions for Message Authentication”, Crypto ‘96 - Bellare, M - 1996 |

12 |
A study of password security
- Luby, Rackoff
(Show Context)
Citation Context ...y and Racko presented strong theoretical evidence that the basic approach found in the Unix algorithm is likely to be sound, by presenting proofs of security for a simplied variant of the Unix hash [1=-=2, 13]-=-. However, their proofs have three serious limitations: the abstract model they analyze omits some important features of the real algorithm (they analyze the variant k 7! E k (0) rather than the full ... |

3 |
How to Recycle Random Bits" FOCS 89
- Impagliazzo, Zukerman
- 1989
(Show Context)
Citation Context ...ison to entropy smoothing. Another alternative approach to dealing with patterned passwords is to smooth out the non-uniformity in the distribution. A well-known result called the leftover hash lemma =-=[8, 10]-=- shows that universal hash functions are good at entropy smoothing: if h is selected uniformly at random from a family of universal hash functions with m-bit outputs, and if k is drawn from a distribu... |

3 |
personal communication
- Zuckerman
- 1999
(Show Context)
Citation Context ...ht. In other words, it is unlikely that one can do much better without either making additional assumptions on f orsnding a better construction. The following simple example is due to David Zuckerman =-=[1-=-6]. Let g : K 1 ! Y 1 be an ideally-secure one-way function with keyspace K 1 and output space Y 1 . We construct f : K ! Y as f(hx; yi) = hg(x); yi, where K = K 1 K 2 and Y = Y 1 K 2 . Note that f is... |

3 |
Lecture notes on cryptography. available online from http://wwwcse.ucsd.edu/users/mihir/papers/gb.html
- Goldwasser, Bellare
(Show Context)
Citation Context ...words with distribution D if DES is secure for keys with distribution D. The following theorem, which forms a nice example of this approach, is due to Bellare (and was stated as a homework problem in =-=[7]-=-): Theorem 5. If g : K→Y is a (t, e)-secure pseudorandom generator for seeds distributed according to D, then g is a (t, p)-secure one-way function for D, where p = e + |K|/|Y|. Remark 2. Of course, w... |

2 | Keying hash functions for message authentication, "Advances - Bellare, Canetti, et al. - 1996 |

2 |
A study of password security," CRYPTO '87
- Luby, Racko
- 1988
(Show Context)
Citation Context ...y and Racko presented strong theoretical evidence that the basic approach found in the Unix algorithm is likely to be sound, by presenting proofs of security for a simplied variant of the Unix hash [1=-=2, 13]-=-. However, their proofs have three serious limitations: the abstract model they analyze omits some important features of the real algorithm (they analyze the variant k 7! E k (0) rather than the full ... |

1 |
Lecture Notes on Cryptography," available online from http://www-cse.ucsd.edu/users/mihir/papers/gb.html
- Goldwasser, Bellare
(Show Context)
Citation Context ...words with distribution D if DES is secure for keys with distribution D. The following theorem, which forms a nice example of this approach, is due to Bellare (and was stated as a homework problem in =-=[7]-=-): Theorem 5. If g : K ! Y is a (t; e)-secure pseudorandom generator for seeds distributed according to D, then g is a (t; p)-secure one-way function for D, where p = e + jKj=jY j. Remark 2. Of course... |

1 |
ipasswd|proactive password security
- Hietaniemi
- 1992
(Show Context)
Citation Context |

1 |
How to Recycle Random Bits,” FOCS ’89
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ...ison to entropy smoothing. Another alternative approach to dealing with patterned passwords is to smooth out the non-uniformity in the distribution. A well-known result called the leftover hash lemma =-=[8,10]-=- shows that universal hash functions are good at entropy smoothing: if h is selected uniformly at random from a family of universal hash functions with m-bit outputs, and if k is drawn from a distribu... |

1 |
Rackoff, “A study of password security,” CRYPTO ’87
- Luby, C
- 1988
(Show Context)
Citation Context ...and Rackoff presented strong theoretical evidence that the basic approach found in the Unix algorithm is likely to be sound, by presenting proofs of security for a simplified variant of the Unix hash =-=[12,13]-=-. However, their proofs have three serious limitations: the abstract model they analyze omits some important features of the real algorithm (they analyze the variant k ↦→ Ek(0) rather than the full it... |