[plug] blowfish encryption

Christian christian at global.net.au
Wed Oct 13 13:18:53 WST 1999 

c.i.n at iname.com wrote:
> 
> Just got two questions.
> 
> 1)  How you would set blowfish to be the default encryption for a Linux box
> instead of crypt?

With a great deal of difficulty.  OpenBSD has done this and produced a
password hashing scheme that not only is very strong but also easily
scales with advances in computing power (as compared with the original
DES crypt which is now regarded as pretty poor and MD5 which is sure to
start showing its age in the next few years).  If you want to read about
it more there's a link to a USENIX paper on it from the OpenBSD web
site: http://www.openbsd.org/security.html and I've also touched upon it
in my thesis... coming soon. ;-)

Unless this has been ported to Linux (not to my knowledge - its quite a
sophisticated system and I think porting would be largely non-trivial)
or unless you want to do it yourself, the best alternative is to use MD5
passwords.  You can enable these by editing /etc/login.defs although you
will have to reset all your users' passwords.  Your other alternative is
to swap to OpenBSD (if you want this I'd suggest waiting until 2.6 is
released which won't be long, since upgrades apparently aren't going to
be pretty).

> 2) Even if someone disables the system login banner on a Linux machine, could it
> still be TCP/IP stack finger-printed by using various fingerprinting methods
> like FIN probe, BOGUS flag probe, TCP ISN sampling etc...?

Yes.  Forget trying to obscure the nature of your operating system -
instead work on securing the system itself.  Hiding OS identity is
virtually attempting for security through obscurity and won't really
help you very much in the long (or short) term.

If you're really paranoid about security then consider Solar Designer's
Secure Linux patch (or whatever he's calling it nowadays) or switch to
OpenBSD.  Linux can be made reasonably secure but it takes considerable
expertise and effort.  In contrast, OpenBSD is secure out of the box and
it takes considerable effort and "inexpertise" to make it otherwise.

Regards,

Christian.

-- 
Nowlan's Theory:
	He who hesitates is not only lost, but several miles from
	the next freeway exit.

More information about the plug mailing list