From owner-freebsd-security@FreeBSD.ORG Mon Sep 15 23:36:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C808916A4B3 for ; Mon, 15 Sep 2003 23:36:40 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B870543FA3 for ; Mon, 15 Sep 2003 23:36:38 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 27227 invoked from network); 16 Sep 2003 06:28:35 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 16 Sep 2003 06:28:34 -0000 Received: (qmail 20755 invoked by uid 1000); 16 Sep 2003 06:36:33 -0000 Date: Tue, 16 Sep 2003 09:36:33 +0300 From: Peter Pentchev To: Charles Sprickman Message-ID: <20030916063632.GM397@straylight.oblivion.bg> Mail-Followup-To: Charles Sprickman , freebsd-security@freebsd.org References: <20030915180717.H60189@shell.inch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q8BnQc91gJZX4vDc" Content-Disposition: inline In-Reply-To: <20030915180717.H60189@shell.inch.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: md5 salt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 06:36:40 -0000 --Q8BnQc91gJZX4vDc Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 15, 2003 at 06:10:04PM -0400, Charles Sprickman wrote: > Hi, >=20 > I was looking at the crypt(3) manpage, and I'm having a hard time figuring > out what the allowed characters are for the salt in md5 and blowfish > encryption. For DES, it clearly states that only numbers, letters and > digits may be used. >=20 > Does anyone know the rules for md5/blowfish salt characters? Well, a quick websearch on 'Modular Crypt Format', the name of the password format containing encryption algorithm magic, optional number of rounds, salt, and password hash, did not really turn up any standards or papers; maybe others would be more knowledgeable in this area. However, I did find a 07/99 post from Kris Kennaway at http://www.geocrawler.com/archives/3/169/1999/7/0/2467424/ in which he mentions that the salt is base64-encoded. The crypt.c and crypt-md5.c files in src/lib/libcrypt/ do not really pose any restrictions on the salt, short of the obvious one of its not containing a '$' character :) I guess going with the base64 characters would be a good bet. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --Q8BnQc91gJZX4vDc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Zq9w7Ri2jRYZRVMRAp3yAKCGm53ygbPvgwKwldBkbembtLasWACgs50B rQ49ZZwzigWPbzVKU5vJdMY= =J5kV -----END PGP SIGNATURE----- --Q8BnQc91gJZX4vDc--