From owner-freebsd-hackers Fri Jun 1 20:49:26 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from brainlink.com (mail.brainlink.com [149.2.32.129]) by hub.freebsd.org (Postfix) with ESMTP id 743D637B424 for ; Fri, 1 Jun 2001 20:49:22 -0700 (PDT) (envelope-from spork@gronim.com) Received: from [208.41.77.198] (HELO gronim.com) by brainlink.com (CommuniGate Pro SMTP 3.3.2) with ESMTP id 6670065 for freebsd-hackers@freebsd.org; Fri, 01 Jun 2001 23:48:21 -0400 Received: (from spork@localhost) by gronim.com (8.11.3/8.11.0) id f523inT12529 for freebsd-hackers@freebsd.org; Fri, 1 Jun 2001 23:44:49 -0400 (EDT) (envelope-from spork) Date: Fri, 1 Jun 2001 23:44:49 -0400 From: Spike Gronim To: freebsd-hackers@freebsd.org Subject: The design of the MD5 crypt() in FreeBSD Message-ID: <20010601234448.A12479@spike.gronim.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hey. I was asked a question about the use of salts in password files recently, and it prompted me to look up exactly how FreeBSD uses the salt. The 'DES Extended Format' salt is described in the man page and makes sense to me. However, the MD5 hash's use of the salt is not spelled out in the man page. I understand the literal meaning of /usr/src/lib/libcrypt/crypt-md5.c, and the algorithm it uses to create it's output. However, I do not understand the design criteria or functional purpose of several elements of the process. Before iterating 1000 times, the password, salt, and "magic string" are all hashed. Then, the hash of these three things is hashed in to the first hash of those three things. What is the purpose of incorporating the hash back in to itself? Then, "something really wierd" (line 124, /usr/src/lib/libcrypt/crpt-md5.c). The length of the password is right shifted by 1 untill it is 0, and at every iteration of this one character of either the previous hash ("final") or the first character of the password is hashed in to the evolving hash of the password. But, just before this (on line 122) the output of the previous hash was zeroed so as not to leave traces in memory. Is the use of a single '0', or alternatively only the first character of the password intentional? Was this derived as a suitably complex transformation designed to occupy CPU cycles in a brute force attack, or does it accomplish some specific cryptographic purpose? During the 1000 iterations of MD5 performed during this crypt() operation, the per-iteration hash is update selectively based on the iteration number. Two of these updates seem to be exactly the same (the updates on lines 145-148 and on lines 156-159). Is this redundancy intentional? How were the other updates to the per-iteration hash chosen? Also, is the method of transcribing the final MD5 output in to a base 64 password hash chosen to "whiten" the hash? (that is, obscure the last round from the attacker). Thanks. -- --Spike Gronim gronimw@stuy.edu "Oh yes? An obscene triangle which, has more courage than the word." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message