Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83 (MC840302); site vu44.UUCP Path: utzoo!linus!philabs!cmcl2!seismo!mcvax!vu44!tstorm From: tstorm@vu44.UUCP (Theo van der Storm) Newsgroups: net.crypt,net.bugs.v7,net.bugs.4bsd Subject: Re: crypt 3 is OK, but setkey and encrypt 3 NOT Message-ID: <683@vu44.UUCP> Date: Tue, 20-Aug-85 11:52:21 EDT Article-I.D.: vu44.683 Posted: Tue Aug 20 11:52:21 1985 Date-Received: Fri, 23-Aug-85 05:45:53 EDT References: <4958@allegra.UUCP> Reply-To: tstorm@vu44.UUCP Distribution: net Organization: VU Informatica, Amsterdam Lines: 33 Xref: linus net.crypt:398 net.bugs.v7:92 net.bugs.4bsd:1390 In article <4958@allegra.UUCP> don@allegra.UUCP (Don Mitchell) writes: >There is no bug in libc/gen/crypt.c. The array E is generated from the >permutation in array e. This is the "salting" opperation. Not exactly. 1) The array e is copied to array E. 2) The "salting" operation is the change of the E array. You MUST do 1) and you CAN do 2). Crypt() does both. This means that the function crypt() is OK, but the library also provides the functions setkey() and encrypt() in libc/gen/crypt.c. The manual suggests you can use these functions to encrypt 64 bit blocks with 56 bit keys. If you use them this way however, the array E is not generated at all! (1) is not done.) This is what I tried to point out in my previous article. A second remark about libc/gen/crypt.c is that it accesses the array R by L[32], L[33] ... L[63]! Declaration: static char L[32], R[32]; >Cryptography is a field that has no room for hacking. I would not make >an uneducated change in the DES algorithm and then think it will be >more secure. I apologize for posting an incorrect "Fix" in my previous article, but I cannot help thinking the original implementation was the result of a hacking party. I suggest the following fix: Move the lines for(i=0;i<48;i++) E[i] = e[i]; from the function crypt() to the function setkey(). -- Theo van der Storm, 052 19'08"N / 004 51'16"E UUCP: {seismo|decvax|philabs}!mcvax!vu44!tstorm UUCP: {ark|botter|klipper|tjalk|vu45|vu60}!vu44!tstorm