Dear db-wg@ripe.net, [24.07.2006 19:37] Marco d'Itri wrote: MdI> On Jul 24, Max Tulyev <president@ukraine.su> wrote:
It is good idea even to hide PGP key data (open key) because why we need to provide extra data to evil persons? MdI> http://en.wikipedia.org/wiki/Kerckhoffs%27_principle
As I understand, Max is probably concerned that open MD5 hashes provide an easy way to conduct offline attacks - bruteforce or more effective (esp. with recent reports of MD5 not being as strong as supposed). As far as bruteforce is concerned, offline attacks are most dangerous, because the speed is limited only by the attacker's available processing power, whereas an authentication server could impose delays, detect and block abnormal volume of requests, etc. This seems to be the same consideration as the one behind shadowing /etc/passwd. e.g. in FreeBSD: -rw------- 1 root wheel /etc/master.passwd <-- Contains MD5 hashes -rw-r--r-- 1 root wheel /etc/passwd Best Regards, Alexander Yemelyanov, Comintern I.S.P.