Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site mit-amt.MIT.EDU
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!mit-amt!simsong
From: simsong@mit-amt.MIT.EDU (Simson Garfinkel)
Newsgroups: net.crypt,net.bugs.v7,net.bugs.4bsd
Subject: Re: Re: crypt 3 is OK, but setkey and encrypt 3 NOT
Message-ID: <6@mit-amt.MIT.EDU>
Date: Sun, 25-Aug-85 00:01:11 EDT
Article-I.D.: mit-amt.6
Posted: Sun Aug 25 00:01:11 1985
Date-Received: Mon, 26-Aug-85 01:31:56 EDT
References: <4958@allegra.UUCP> <683@vu44.UUCP> <517@baylor.UUCP>
Distribution: net
Organization: MIT Media Lab, Cambridge, MA
Lines: 25
Xref: watmath net.crypt:440 net.bugs.v7:206 net.bugs.4bsd:1709
Summary: Clarification of UNIX crypt(2) and crypt(1)

In article <517@baylor.UUCP>, peter@baylor.UUCP (Peter da Silva) writes:
> OK. The documentation on 4.2 crypt doesn't mention DES. I seem to remember
> reading in some security paper somewhere that crypt used a deliberately
> flawed version of DES so DES chips couldn't be used for a fast exhaustive
> search. Anyone actually have the paper involved (I read it in a manual
> rack on the 5th floor of Evans while waiting for printout), so they can
> confirm or deny this vicious rumor?
> -- 
crypt(2) and crypt(1) are different. crypt(2) is an itterated and
defective DEA (software DES) implementation that takes a string key and
a 2 character salt and returns those familar passwd-like encrypted
strings. It is indeed not true DES so that you can't use a DES chip to
braek passwords. This is explained in detail in /usr/doc/password.

crypt(1), the 4.2 crypt program, uses DEA to generate a key sequence. It
then throws away the security of DEA and uses an enigma-like rotor-based
encryption scheme to cipher the rest of the plaintext. (actually, the
system that crypt(1) uses is less secure than enigma.) 

DEA may or may not be secure. crypt(2) is definately secure, but it is
one way. crypt(1) is insecure (it can be broken programatically).

Hope this clears things up.

(Of course, If I've made a mistake, I'm sure I'll be told about it).