Non-ATT 'crypt(3)'
Bill.Stewart.4K435.x0705
wcs at ho95e.UUCP
Fri Dec 20 10:58:29 AEST 1985
In article <125 at suneast.uucp> geoff at suneast.uucp (Geoff Arnold) writes:
>Alex Osadzinski, Unix Europe Ltd, London, England
>writes:
>> ... Further, any competent programmer
>> can reproduce the crypt(3) code in an afternoon from a functional description.
>
>Oh really? The problem is, the only functional description other than the
>code is the 'crypt(3)' man page, which vaguely says that the 'salt' is
>"used to perturb the DES algorithm in one of 4096 different ways". Can you
>deduce the algorithm without looking at the code?
The important thing is to get the interface right; for normal
applications it's unnecessary to pass crypt(3)'ed passwords between
systems; if you depend on that then propagate your own crypt routine as
well as your application. The salt business has two main purposes:
- make it impossible to use DES hardware to decrypt
(software is much slower, and if the speculated-about
NSA trapdoor exists, this may make it fail.)
- produce different cyphertexts for identical plaintext
encrypted with identical keys - this makes cryptanalysis
much more difficult, and makes it hard to tell that
you're using the same passwords on N different machines.
As long as you've got the interfaces correct, the internals don't
really matter much.
--
# Bill Stewart, AT&T Bell Labs 2G-202, Holmdel NJ 1-201-949-0705 ihnp4!ho95c!wcs
More information about the Comp.unix
mailing list