Uninvertible passwd encryption (was: Re: Kmem security)
Phil Eschallier
phil at ls.com
Wed Mar 20 23:20:56 AEST 1991
In article <1991Mar19.231715.28594 at comp.vuw.ac.nz> duncan at comp.vuw.ac.nz (Duncan McEwan) writes:
>This has drifted off the topic a little bit, so I've changed the Subject
>(again!) and killed the References:
>
>In article <1991Mar18.153201.23325 at lth.se>
> magnus at thep.lu.se (Magnus Olsson) writes:
>
>>login does *not* have to decrypt the password from /etc/passwd - indeed,
>>I don't think there's any way it could do that! (The encryption function
>>is not invertible - several different passwords acan have the same
>>encrypted from).
>
>This response to an earlier posting reminded me of something I have been
>curious about. Exactly why is the Unix password encryption algorithm
>uninvertible? It seems to me that the fact that several passwords can
>have the same encrypted form is irrelevent -- the cracker simply has to
>find any *one* password results in a given encrypted string and they are
>in.
>
>Is it to do with the fact that Unix encrypts a constant string using the
>password as a key -- so it *is* possible to work back to that constant string,
>but you still know nothing about the password?
>
>Apologies to any cryptologists out there, to whom this must be obvious!
>
please forgive me if some of my details are off, it has been
some time since i worked on unix passwds/encryption ...
i would never say never and never say always but for all intents
and purposes the unix passwd encryption cannot be reversed ...
the 13 byte uncrypted passwd in the /etc/passwd has the following
format:
positions 1 and 2 are the salt
positions 3 thru 13 are the encrypted passwd
but this is not all ... the des crypt makes 16 itterations of
encryption and within each itteration the routine shifts bits
and re-arranges the string according to a predefined schedule.
the result of this logic is a 66 byte output string of which only
11 bytes are stored in the /etc/passwd file.
/bin/passwd does not decrypt what is in the /etc/passwd file,
rather it encrypts the user input by using the salt from the
first 2 bytes of the current encrypted passwd then compares
the following 11 bytes in the current encrypted passwd w/ the
result of its own encryption.
since only 11 bytes of the des crypt result is significant, i
suppose it is possible to have two (or more) encrypted passwds
equal. however when choosing a new passwd word, the salt is
randomly generated from the time -- this only makes it less
likely that duplicates would show up.
again, it may be possible to have two (or more) encrypted passwds
equal but i will leave the proof up to someone out there with
nothing better to do but bang there head again the wall.
--
Phil Eschallier | E-Mail to: US Mail to:
| INET: phil at ls.com 248B Union Street
Lagniappe Systems | UUCP: ...!uunet!lgnp1!phil Doylestown, PA 18901
Computer Services | CIS: 71076,1576 VOICE: +1 215 348 9721
More information about the Comp.unix.admin
mailing list