Uninvertible passwd encryption (was: Re: Kmem security)
Jonathan I. Kamens
jik at athena.mit.edu
Wed Mar 20 22:58:11 AEST 1991
In article <1991Mar19.231715.28594 at comp.vuw.ac.nz>, duncan at comp.vuw.ac.nz (Duncan McEwan) writes:
|> This response to an earlier posting reminded me of something I have been
|> curious about. Exactly why is the Unix password encryption algorithm
|> uninvertible? It seems to me that the fact that several passwords can
|> have the same encrypted form is irrelevent -- the cracker simply has to
|> find any *one* password results in a given encrypted string and they are
|> in.
I think you are failing to see the difference between cracking passwords and
inverting crypt(3). "The Cuckoo's Egg", by Cliff Stoll, makes the difference
clear, but you have to read an awful lot of other stuff in order to read the
little bit about crypt (It's good reading, but that's besides the point :-).
I'll try to explain the difference here.
Call the encryption algorithm C, such that the domain of C is the acceptable
Unix passwords, and the range of C is the thirteen-character values that can
appear in /etc/passwd. We feed input keys, signified by K, into C, and we get
back encrypted strings signified by E. That is, E = C(K).
When people say that C is uninvertible, they mean that there is no known way
to efficiently go from any given E to a K such that E = C(K). In other words,
there is no known function I, such that I(C(K)) = K.
Yes, the fact that several passwords can have the same encrypted form is
mostly irrelevant, since the function I, if it existed, would only have to be
able to find *one* such form. The point, however, is that it doesn't exist
(or, at least, is not known to exist).
Since no known efficient I exists, the only known way to crack Unix
passwords is to encrypt a whole bunch of plaintext passwords and compare them
to the encrypted entry in /etc/passwd. The fact that it is possible to do
this does not imply that crypt is invertible. When we talk about
invertibility, we are talking about algorithms. When we talk about password
cracking, we're talking about any which way you can, algorithmic, brute force
or otherwise.
The idea of the Unix password algorithm is that *if* a sufficiently complex
password is selected, a brute force attack on that password is unlikely to
succeed because it will take too much time to complete. Of course, as
machines become more and more powerful and it becomes possible to do things
like encrypt millions of strings with all 4096 possible seeds and store them
on-line somehow, or to encrypt strings so quickly so that the encryption speed
is no longer nearly as much of an obstacle as it used to be, Unix passwords
become more vulnerable. Which is why more emphasis has been placed recently
on things like choosing better passwords, keeping the /etc/passwd file secure,
and/or putting encrypted passwords in a shadow password file that mortals
can't read.
In summary, I'd like to quote from "On the Security of UNIX," by Dennis M.
Ritchie (which, incidentally, contains the "mkdir x; cd x" shell script that
someone was reluctant to post, I believe in this newsgroup, a few days ago):
On the issue of password security, UNIX is probably
better than most systems. Passwords are stored in an
encrypted form which, in the absence of serious attention
from specialists in the field, appears reasonably secure,
provided its limitations are understood. In the current
version, it is based on a slightly defective version of the
Federal DES; it is purposely defective so that easily-
available hardware is useless for attempts at exhaustive
key-search. Since both the encryption algorithm and the
encrypted passwords are available, exhaustive enumeration of
potential passwords is still feasible up to a point. We
have observed that users choose passwords that are easy to
guess: they are short, or from a limited alphabet, or in a
dictionary. Passwords should be at least six characters
long and randomly chosen from an alphabet which includes
digits and special characters.
Of course there also exist feasible non-cryptanalytic
ways of finding out passwords. For example: write a program
which types out ``login:'' on the typewriter and copies
whatever is typed to a file of your own. Then invoke the
command and go away until the victim arrives.
--
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik at Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8085 Home: 617-782-0710
More information about the Comp.unix.admin
mailing list