Bugtraq mailing list archives
Re: passwd hashing algorithm
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Thu, 20 Apr 95 22:28:40 CDT
SecureWare uses a mechanism similar to this and it is part of one of their security offerings. I've used a slightly different, but similar, approach for several yearsWe do not. See below.
I think the confusion lies in "similar". Otherwise, I stand by my remarks, source code samples from you not withstanding.
This is most certainly NOT SecureWare's password implementation, although I can understand why there might be some confusion. SecureWare has modified the behavior of password hashing not to increase the strength of the underlying crypt(), but to increase the size of the possible password space and the resulting hash value. The algorithm breaks a password into crypt- sized blocks, running crypt() across each block. The salt for each block is derived from the ciphertext of the previous block to provide linkage between the individual blocks. The resulting hash is the concatenation of the various ciphertext blocks, prefixed with the initial salt.
Yes. You use crypt() once for each block of 8 characters. This is what was described. 25 rounds of DES (one crypt()) with the first crypt()-sized block followed by 25 rounds of DES (one crypt()) with the second crypt()-sized block. As I understand the algorithm, the salt is the last 2 ciphertext characters of the previous encrypted result.
This strong mechanism, combined with shadow password files and configurable password controls (random pronounceable password generator, password aging, minimum allowable lengths, attack detection and account lockout, etc...) allow a system security officer to be as paranoid as they choose -- e.g., passwords can be configured to look like standard Unix, they can be configured to be 128 byte random passwords, or they can be configured somewhere in between. As an example, my password is between 8 and 16 bytes long. Its entry in the shadow password database looks like: watt:u_name=watt:u_id#124:\ :u_pwd=8F0Ovkj7jA9jE.ofsJ4MaIt6:\
Meaning that your password was created when crypt() returned "8F0Ovkj7jA9jE" then "jE.ofsJ4MaIt6". If the guy with the crypt() attack was serious, he should be able to generate a pair of keys which will produce your encrypted password. -- John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh () rpp386 cactus org
Current thread:
- Re: passwd hashing algorithm, (continued)
- Re: passwd hashing algorithm Charlie Watt (Apr 20)
- Not really full disclosure bmanning () isi edu (Apr 22)
- virus Erich W. Gunther (Apr 20)
- Re: virus Leo Bicknell (Apr 22)
- no virus, only a rumor Albert Lunde (Apr 22)
- Re: no virus, only a rumor [good times, xxx-1] Matthew Hannigan (Apr 23)
- Good Times Paul Robinson (Apr 24)
- Re: virus Joshua Hosseinoff (Apr 23)
- Re: virus eli (Apr 23)
- The list Jon Green (Apr 23)
- Re: passwd hashing algorithm John F. Haugh II (Apr 20)
- Re: passwd hashing algorithm Charlie Watt (Apr 21)
- Re: passwd hashing algorithm John F. Haugh II (Apr 21)
- Re: passwd hashing algorithm Timothy Newsham (Apr 21)
- Re: passwd hashing algorithm John F. Haugh II (Apr 23)
- RE: virus Erich W. Gunther (Apr 23)
- Re: passwd hashing algorithm David Miller (Apr 19)
- Re: passwd hashing algorithm David A. Wagner (Apr 19)
- Re: passwd hashing algorithm John F. Haugh II (Apr 21)
- AntiFlash talkd Richard Allen (Apr 19)
- Re: AntiFlash talkd James M. Golovich (Apr 19)