Re: Fwd: Generation of CHAP Secrets...

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Wed, 21 Aug 2002 VAHUJA@aol.com wrote:

> David,
>
> I believe, the secret size does have a direct impact on the cryptograohic
> strength of the hash. If the secret size is less than the hashed value of the
> algorithm, then it makes it easier for an exhaustive search attack. For
> reference, here is a quote from the CHAP RFC page 3:

How is the size of the hash a magic number in terms of exhaustive search
attacks? Regardless of the size of the secret, you have to hash the I
value, the secret, and the challenge.

I see how making the secret longer is good, but I just don't see how
making the secret the size of the hash really changes the behavior. Once
we say have the secret at like 96 or 128 bits, do we really NEED more?
Sure, we can let folks choose more, but do we NEED it (a la we should
require it)?

Or do these hash functions (MD5, SHA-1) not stir all of the bits well, and
thus if you don't feed in about the number of bytes in the hash you get
poor results?

Take care,

Bill