[1566] in bugtraq
Re: passwd hashing algorithm
daemon@ATHENA.MIT.EDU (John F. Haugh II)
Fri Apr 21 03:03:21 1995
From: jfh@rpp386.cactus.org (John F. Haugh II)
To: watt@sware.com (Charlie Watt)
Date: Thu, 20 Apr 95 22:28:40 CDT
Cc: dawagner@phoenix.Princeton.EDU, bugtraq@fc.net
In-Reply-To: <9504191341.AA08369@mordred.sware.com>; from "Charlie Watt" at Apr 19, 95 9:41 am
> > > SecureWare uses a mechanism similar to this and it is part of one of
> > > their security offerings. I've used a slightly different, but similar,
> > > approach for several years
>
> We do not. See below.
I think the confusion lies in "similar". Otherwise, I stand by my
remarks, source code samples from you not withstanding.
> This is most certainly NOT SecureWare's password implementation, although
> I can understand why there might be some confusion. SecureWare has modified
> the behavior of password hashing not to increase the strength of the
> underlying crypt(), but to increase the size of the possible password space
> and the resulting hash value. The algorithm breaks a password into crypt-
> sized blocks, running crypt() across each block. The salt for each block is
> derived from the ciphertext of the previous block to provide linkage between
> the individual blocks. The resulting hash is the concatenation of the
> various ciphertext blocks, prefixed with the initial salt.
Yes. You use crypt() once for each block of 8 characters. This is
what was described. 25 rounds of DES (one crypt()) with the first
crypt()-sized block followed by 25 rounds of DES (one crypt()) with
the second crypt()-sized block. As I understand the algorithm, the
salt is the last 2 ciphertext characters of the previous encrypted
result.
> This strong mechanism, combined with shadow password files and configurable
> password controls (random pronounceable password generator, password aging,
> minimum allowable lengths, attack detection and account lockout, etc...)
> allow a system security officer to be as paranoid as they choose -- e.g.,
> passwords can be configured to look like standard Unix, they can be configured
> to be 128 byte random passwords, or they can be configured somewhere in
> between. As an example, my password is between 8 and 16 bytes long. Its
> entry in the shadow password database looks like:
>
> watt:u_name=watt:u_id#124:\
> :u_pwd=8F0Ovkj7jA9jE.ofsJ4MaIt6:\
Meaning that your password was created when crypt() returned
"8F0Ovkj7jA9jE" then "jE.ofsJ4MaIt6". If the guy with the crypt() attack
was serious, he should be able to generate a pair of keys which will
produce your encrypted password.
--
John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh@rpp386.cactus.org