Re: passwd hashing algorithm

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Aleph One: "Re: The Dan Farmer rap"
• Previous message: John Evans: "Re: The Dan Farmer rap"
• In reply to: Charlie Watt: "Re: passwd hashing algorithm"
• Next in thread: Charlie Watt: "Re: passwd hashing algorithm"

> > > SecureWare uses a mechanism similar to this and it is part of one of
> > > their security offerings.  I've used a slightly different, but similar,
> > > approach for several years
> 
> We do not.  See below.
 
I think the confusion lies in "similar".  Otherwise, I stand by my
remarks, source code samples from you not withstanding.

> This is most certainly NOT SecureWare's password implementation, although
> I can understand why there might be some confusion.  SecureWare has modified
> the behavior of password hashing not to increase the strength of the
> underlying crypt(), but to increase the size of the possible password space
> and the resulting hash value.  The algorithm breaks a password into crypt-
> sized blocks, running crypt() across each block.  The salt for each block is
> derived from the ciphertext of the previous block to provide linkage between
> the individual blocks.  The resulting hash is the concatenation of the 
> various ciphertext blocks, prefixed with the initial salt.
 
Yes.  You use crypt() once for each block of 8 characters.  This is
what was described.  25 rounds of DES (one crypt()) with the first
crypt()-sized block followed by 25 rounds of DES (one crypt()) with
the second crypt()-sized block.  As I understand the algorithm, the
salt is the last 2 ciphertext characters of the previous encrypted
result.

> This strong mechanism, combined with shadow password files and configurable 
> password controls (random pronounceable password generator, password aging, 
> minimum allowable lengths, attack detection and account lockout, etc...)
> allow a system security officer to be as paranoid as they choose -- e.g.,
> passwords can be configured to look like standard Unix, they can be configured
> to be 128 byte random passwords, or they can be configured somewhere in
> between.  As an example, my password is between 8 and 16 bytes long.  Its
> entry in the shadow password database looks like:
> 
> watt:u_name=watt:u_id#124:\
>         :u_pwd=8F0Ovkj7jA9jE.ofsJ4MaIt6:\

Meaning that your password was created when crypt() returned
"8F0Ovkj7jA9jE" then "jE.ofsJ4MaIt6".  If the guy with the crypt() attack
was serious, he should be able to generate a pair of keys which will
produce your encrypted password.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh@rpp386.cactus.org

• Next message: Aleph One: "Re: The Dan Farmer rap"
• Previous message: John Evans: "Re: The Dan Farmer rap"
• In reply to: Charlie Watt: "Re: passwd hashing algorithm"
• Next in thread: Charlie Watt: "Re: passwd hashing algorithm"