Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site pur-ee.UUCP
Path: utzoo!watmath!clyde!cbosgd!ihnp4!inuxc!pur-ee!ecn-ee!davy
From: davy@ecn-ee.UUCP
Newsgroups: net.crypt
Subject: Re: Re: Unix encryption methods
Message-ID: <2464@pur-ee.UUCP>
Date: Fri, 21-Dec-84 17:21:34 EST
Article-I.D.: pur-ee.2464
Posted: Fri Dec 21 17:21:34 1984
Date-Received: Fri, 28-Dec-84 03:41:39 EST
Sender: notes@pur-ee.UUCP
Organization: Electrical Engineering Department , Purdue University
Lines: 40
Nf-ID: #R:brl-tgr:-654800:ecn-ee:22700002:000:2165
Nf-From: ecn-ee!davy    Dec 21 17:15:00 1984


The output of crypt(3) is not "straight" DES (DEA). The "salt" is used 
to permute one of the tables (the E-table) in one of 4096 different 
ways. This means that you cannot simply reverse the DES algorithm to 
decrypt the password (see below for more on this). 

Actually, most people have a misconception about password encryption 
on UNIX -- your password is not encrypted, rather, your password is 
used as the KEY to encrypt a block of zeros 25 times. This encryption 
is performed after the E-table has been permuted. Then, the output of 
the encryption is "converted" such that you get 10 characters from the 
set a-zA-Z0-9, '.', and '/'. The salt is tacked on to the front of 
this, giving you a 12-character encrypted password. Because the 
encryption key is thrown away after the encryption, and since the 
output of the encryption is shifted, anded, ored, etc., crypt(3) is 
essentially one-way encryption. When you log in and type your 
password, login does NOT decrypt the password contained in the 
password file. Rather, it calls crypt(3) with your password attempt 
and the salt from the password file, and then compares the encrypted 
result with that stored in the password file. 

A friend and I once sat down and calculated some things about 
crypt(3). One of the things we came up with was that to generate every 
possible encrypted string and store it along with a password which 
generated it (thus, you could crack passwords using table lookup) 
would take something on the order of 45 415-MByte disk drives! Of 
course, since it takes a VAX about 1 second to crypt(3) a single 
string, the idea is probably computationally infeasible even if you 
could get the disk drives. We also decided (I don't remember how -- I 
think it was by trial and error) that there are multiple passwords 
which will give you the same encrypted result. This is not including 
the fact that any passwords which are identical in the first eight 
characters (e.g., "bookkeeper" and "bookkeeping") will encrypt to the 
same thing (except of course if they use different salts), since DES 
only uses a 56-bit key (8 chars * 7 bits/char = 56 bits). 

--Dave Curry