Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site pur-ee.UUCP Path: utzoo!watmath!clyde!cbosgd!ihnp4!inuxc!pur-ee!ecn-ee!davy From: davy@ecn-ee.UUCP Newsgroups: net.crypt Subject: Re: Re: Unix encryption methods Message-ID: <2464@pur-ee.UUCP> Date: Fri, 21-Dec-84 17:21:34 EST Article-I.D.: pur-ee.2464 Posted: Fri Dec 21 17:21:34 1984 Date-Received: Fri, 28-Dec-84 03:41:39 EST Sender: notes@pur-ee.UUCP Organization: Electrical Engineering Department , Purdue University Lines: 40 Nf-ID: #R:brl-tgr:-654800:ecn-ee:22700002:000:2165 Nf-From: ecn-ee!davy Dec 21 17:15:00 1984 The output of crypt(3) is not "straight" DES (DEA). The "salt" is used to permute one of the tables (the E-table) in one of 4096 different ways. This means that you cannot simply reverse the DES algorithm to decrypt the password (see below for more on this). Actually, most people have a misconception about password encryption on UNIX -- your password is not encrypted, rather, your password is used as the KEY to encrypt a block of zeros 25 times. This encryption is performed after the E-table has been permuted. Then, the output of the encryption is "converted" such that you get 10 characters from the set a-zA-Z0-9, '.', and '/'. The salt is tacked on to the front of this, giving you a 12-character encrypted password. Because the encryption key is thrown away after the encryption, and since the output of the encryption is shifted, anded, ored, etc., crypt(3) is essentially one-way encryption. When you log in and type your password, login does NOT decrypt the password contained in the password file. Rather, it calls crypt(3) with your password attempt and the salt from the password file, and then compares the encrypted result with that stored in the password file. A friend and I once sat down and calculated some things about crypt(3). One of the things we came up with was that to generate every possible encrypted string and store it along with a password which generated it (thus, you could crack passwords using table lookup) would take something on the order of 45 415-MByte disk drives! Of course, since it takes a VAX about 1 second to crypt(3) a single string, the idea is probably computationally infeasible even if you could get the disk drives. We also decided (I don't remember how -- I think it was by trial and error) that there are multiple passwords which will give you the same encrypted result. This is not including the fact that any passwords which are identical in the first eight characters (e.g., "bookkeeper" and "bookkeeping") will encrypt to the same thing (except of course if they use different salts), since DES only uses a 56-bit key (8 chars * 7 bits/char = 56 bits). --Dave Curry