[9884] in bugtraq
Re: Digital Unix 4 protected password database.
daemon@ATHENA.MIT.EDU (Alec Muffett)
Wed Mar 10 17:05:21 1999
Date: Wed, 10 Mar 1999 17:47:36 +0000
Reply-To: Alec Muffett <Alec.Muffett@UK.SUN.COM>
From: Alec Muffett <Alec.Muffett@UK.SUN.COM>
X-To: jmorgan@dircon.co.uk
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 10 Mar 1999 09:10:18 GMT."
<001901be6ad5$d36f0800$673770c2@jon.europe.sumibank.com>
>The one thing that CAN cause problems is that Digital UNIX can use
>nonstandard hash algorithms (bigcrypt(), crypt16() and C1crypt()) as
>well as the normal crypt(). Not only does this make coding slightly
>complicated (as you have to get the correct hash algorithm, but when
>a password is created within an Enhanced Security environment that is
>over eight characters in length, another password round is created
>AFTER the original to contain the rest of the password. This doesn't
>make things impossible, just difficult - Digital kindly provide a set
>of system calls to do most of this for you.
Paul Leyland told me, many years ago, that one or more of the
"Enhanced Security" crypt-replacements are actually less secure
than traditional crypt() in many respects.
Consider the:
crypt first 8 chars
crypt remaining 8 chars
join the two ciphertexts
...mechanism; assuming people choose passwords which are (a) plain
dictionary words and (b) only slightly longer than 8 characters, then:
plaintext = wheatsheaf
first 8 chars = wheatshe
last 8 chars = af
...the cracker may brute-force the latter ciphertext with its implicit
small keyspace, and then (eg:) go hunting for words in dictionaries
which are 10 characters long and whose last characters are "af",
thereby possibly reducing the search space for the first 8 characters
*very* significantly.
I attach below a section of an illuminating e-mail of Paul's from 1996;
I do not think he'll mind my publishing it.
I once posted a better algorithm than this (essentially, crypt the
first eight characters "wheatshe", crypt the *last* eight characters
"eatsheaf", remembering to meddle with the salt for the second crypt
by using a function of first plaintext to prevent the pathological
condition where the ciphertext is eight-or-less characters yielding
concatenated repeated ciphertexts... but it never got adopted, and
anyway, MD5 or SHA1 is a much better bet.
There are other issues with the innards of some of these crypt()
replacements, involving numbers of rounds, etc, but it is a long time
since I visited Ultrix and/or them.
- alec
ps: ObCynic: no doubt some self-aggrandising security research
pseudogroup can easily whip up a PGP-signed "Security Advisory" to
leap on this bandwagon, bring this to the media, and thereby try to
gain credibility. Don't all jump at once, now, y'hear?
| Here's a test program and it's output when compiled and run under Ultrix
| 4.3a. Note the behaviour when the password drops below 8 characters...
|
| Paul
|
| 8<---------------------------------------------------------------------->8
|
| main ()
| {
| printf ("<%s> <%s> <%s>\n", "printf", "aa", crypt16 ("printf", "aa"));
| printf ("<%s> <%s> <%s>\n", "printf", "AA", crypt16 ("printf", "AA"));
| printf ("<%s> <%s> <%s>\n", "printf", "az", crypt16 ("printf", "az"));
| printf ("<%s> <%s> <%s>\n", "printf", "a0", crypt16 ("printf", "a0"));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82QB4IP", "/.", crypt16 ("LOLOAQICI82QB4IP", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82QB4I", "/.", crypt16 ("LOLOAQICI82QB4I", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82QB4", "/.", crypt16 ("LOLOAQICI82QB4", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82QB", "/.", crypt16 ("LOLOAQICI82QB", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82Q", "/.", crypt16 ("LOLOAQICI82Q", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI82", "/.", crypt16 ("LOLOAQICI82", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI8", "/.", crypt16 ("LOLOAQICI8", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQICI", "/.", crypt16 ("LOLOAQICI", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQIC", "/.", crypt16 ("LOLOAQIC", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQI", "/.", crypt16 ("LOLOAQI", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOAQ", "/.", crypt16 ("LOLOAQ", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLOA", "/.", crypt16 ("LOLOA", "/."));
| printf ("<%s> <%s> <%s>\n", "LOLO", "/.", crypt16 ("LOLO", "/."));
| printf ("<%s> <%s> <%s>\n", "LOL", "/.", crypt16 ("LOL", "/."));
| printf ("<%s> <%s> <%s>\n", "LO", "/.", crypt16 ("LO", "/."));
| printf ("<%s> <%s> <%s>\n", "L", "/.", crypt16 ("L", "/."));
| }
|
| 8<---------------------------------------------------------------------->8
| <printf> <aa> <aaCjFz4Sh8Eg2QSqAReePlq6>
| <printf> <AA> <AA/xje2RyeiSU0iBY3PDwjYo>
| <printf> <az> <azbLHnWaqbJeQeZc1OSYe7Pk>
| <printf> <a0> <a0yn3KhrcQbus.ioGbPACugk>
| <LOLOAQICI82QB4IP> </.> </.FcK3mad6JwYt8LVmDqz9Lc>
| <LOLOAQICI82QB4I> </.> </.FcK3mad6JwYq1nJWLBmf3E>
| <LOLOAQICI82QB4> </.> </.FcK3mad6JwYy2Cg/eC.S0Y>
| <LOLOAQICI82QB> </.> </.FcK3mad6JwYGluf6Ixbuu6>
| <LOLOAQICI82Q> </.> </.FcK3mad6JwYZpsNag31O/2>
| <LOLOAQICI82> </.> </.FcK3mad6JwYZ5gmSbpOG4c>
| <LOLOAQICI8> </.> </.FcK3mad6JwY0b/Q.wdrEkg>
| <LOLOAQICI> </.> </.FcK3mad6JwYSaRHJoTPzY2>
| <LOLOAQIC> </.> </.FcK3mad6JwYelhbtlysKy6>
| <LOLOAQI> </.> </.HFDmSJe0gdUelhbtlysKy6>
| <LOLOAQ> </.> </.4xr8tFp2YtkelhbtlysKy6>
| <LOLOA> </.> </.J0OjcwfBdmselhbtlysKy6>
| <LOLO> </.> </.W3kA/gJhfNkelhbtlysKy6>
| <LOL> </.> </./8USI4XZojgelhbtlysKy6>
| <LO> </.> </.IsLxNCl59joelhbtlysKy6>
| <L> </.> </.CIu/PzYCkl6elhbtlysKy6>
| 8<---------------------------------------------------------------------->8
