Date: Fri, 14 Feb 1997 21:23:05 +0200 From: Mark Murray <mark@grondar.za> To: Poul-Henning Kamp <phk@critter.dk.tfs.com> Cc: security@freebsd.org Subject: Re: blowfish passwords in FreeBSD Message-ID: <199702141923.VAA18249@grackle.grondar.za>
next in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote:
> In message <E0vvHbl-00026f-00@rover.village.org>, Warner Losh writes:
> >
> >OpenBSD just committed a new encryption method using blowfish. This
> >has a much larger salt space as well as a much harder to break
> >encryption scheme. Preliminary indications are that it looks really
> >good. They implemented this much like md5, but with its own code.
> >
> >I think we should bring this into FreeBSD. What do others think?
>
> We already have a submission for SSH (?) passwords in a PR, they
> should be merged and documented.
You mean SHA (secure hash algorithm). I have this FreeBSD ready.
This method expands on PHK's MD5 passwd(5) scheme where an encrypted
passwd that is not DES looks like $n$sssss$pppppppppp.
Where
n is a number 1=MD5
2=SHA
3-??=<unassigned>
sssss is salt
ppppppppp is the encrypred passwd.
The code has hooks to make it extensible for other hash types.
How does the OpenBSD Blowfish method fit into _that_?
FWIW, our _current_ DES passwd scheme has a method that extends the
salt dramatically. (this is documented). if the salt begins with an
"_" underscore char, then the next 8 (!) chars are salt. They are
(sort of) uudecoded to provide two 24 bit numbers. One is common-or-
garden salt, the other is iteration count. You want someone to work
hard do crack your password? Set the count high.
Look in the secure/lib/libcrypt/test dir for test code and check
out the secure crypt(3) manpage for docs.
M
--
Mark Murray PGP key fingerprint = 80 36 6E 40 83 D6 8A 36
This .sig is umop ap!sdn. BC 06 EA 0E 7A F2 CE CE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702141923.VAA18249>