Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site mit-amt.MIT.EDU Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!mit-amt!simsong From: simsong@mit-amt.MIT.EDU (Simson Garfinkel) Newsgroups: net.crypt,net.bugs.v7,net.bugs.4bsd Subject: Re: Re: crypt 3 is OK, but setkey and encrypt 3 NOT Message-ID: <6@mit-amt.MIT.EDU> Date: Sun, 25-Aug-85 00:01:11 EDT Article-I.D.: mit-amt.6 Posted: Sun Aug 25 00:01:11 1985 Date-Received: Mon, 26-Aug-85 01:31:56 EDT References: <4958@allegra.UUCP> <683@vu44.UUCP> <517@baylor.UUCP> Distribution: net Organization: MIT Media Lab, Cambridge, MA Lines: 25 Xref: watmath net.crypt:440 net.bugs.v7:206 net.bugs.4bsd:1709 Summary: Clarification of UNIX crypt(2) and crypt(1) In article <517@baylor.UUCP>, peter@baylor.UUCP (Peter da Silva) writes: > OK. The documentation on 4.2 crypt doesn't mention DES. I seem to remember > reading in some security paper somewhere that crypt used a deliberately > flawed version of DES so DES chips couldn't be used for a fast exhaustive > search. Anyone actually have the paper involved (I read it in a manual > rack on the 5th floor of Evans while waiting for printout), so they can > confirm or deny this vicious rumor? > -- crypt(2) and crypt(1) are different. crypt(2) is an itterated and defective DEA (software DES) implementation that takes a string key and a 2 character salt and returns those familar passwd-like encrypted strings. It is indeed not true DES so that you can't use a DES chip to braek passwords. This is explained in detail in /usr/doc/password. crypt(1), the 4.2 crypt program, uses DEA to generate a key sequence. It then throws away the security of DEA and uses an enigma-like rotor-based encryption scheme to cipher the rest of the plaintext. (actually, the system that crypt(1) uses is less secure than enigma.) DEA may or may not be secure. crypt(2) is definately secure, but it is one way. crypt(1) is insecure (it can be broken programatically). Hope this clears things up. (Of course, If I've made a mistake, I'm sure I'll be told about it).