Date: Tue, 23 May 2000 18:14:02 -0400 (EDT) From: Lowell Gilbert <lowell@world.std.com> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/18783: more password-format text Message-ID: <200005232214.SAA72870@be-well.ilk.org>
next in thread | raw e-mail | index | archive | help
>Number: 18783 >Category: docs >Synopsis: more hammering on the DES-vs-MD5 text >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue May 23 15:20:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Lowell Gilbert >Release: FreeBSD 4.0-STABLE i386 >Organization: the Ilk >Environment: handbook security chapter >Description: Further explanation of a couple of points that have come up lately on the mailing lists (or was it newsgroup?). Also, I fixed a few grammar nits. This covers some of the same ground as my year-and-a-half-old PR docs/8765, but mostly not. That one probably belongs in the FAQ, anyway. >How-To-Repeat: n/a >Fix: *** chapter.sgml~ Sat May 6 16:21:57 2000 --- chapter.sgml Tue May 23 18:09:19 2000 *************** *** 742,755 **** <para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March 2000.</emphasis></para> ! <para>Every user on a UNIX system has a password associated with their ! account, obviously these passwords need to be known only to ! the user and the actual operating system. In order to keep ! these passwords secret, they are encrypted with what is known ! as a 'one-way hash', that is, they can only be easily encrypted ! but not decrypted. The only way to get the password is by ! brute force searching the space of possible passwords. ! Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This is not such a problem for users that live in the US, but since the source code for DES cannot be exported --- 742,762 ---- <para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March 2000.</emphasis></para> ! <para>Every user on a UNIX system has a password associated with ! their account. It seems obvious that these passwords need to be ! known only to the user and the actual operating system. In ! order to keep these passwords secret, they are encrypted with ! what is known as a 'one-way hash', that is, they can only be ! easily encrypted but not decrypted. In other words, what we ! told you a moment ago was obvious isn't even true: the operating ! system itself doesn't <emphasis>really</emphasis> know the ! password. It only knows the <emphasis>encrypted</emphasis> form ! of the password. The only way to get the 'plain-text' password ! is by a brute force search of the space of possible ! passwords.</para> ! ! ! <para>Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This is not such a problem for users that live in the US, but since the source code for DES cannot be exported *************** *** 761,767 **** so that US users could install the DES libraries and use DES but international users still had an encryption method that could be exported abroad. This is how FreeBSD came to ! use MD5 as it's default encryption method.</para> <sect2> <title>Recognizing your crypt mechanism</title> --- 768,776 ---- so that US users could install the DES libraries and use DES but international users still had an encryption method that could be exported abroad. This is how FreeBSD came to ! use MD5 as its default encryption method. MD5 is believed to ! be more secure than DES, so installing DES is offered primarily ! for compatibility reasons.</para> <sect2> <title>Recognizing your crypt mechanism</title> *************** *** 777,782 **** --- 786,799 ---- alphabet which does not include the <literal>$</literal> character, so a relatively short string which does not begin with a dollar sign is very likely a DES password.</para> + + <para>The libraries can identify the passwords this way as + well. As a result, the DES libraries are able to identify MD5 + passwords, and use MD5 to check passwords that were encrypted + that way, and DES for the rest. They are able to do this + because the DES libraries also contain MD5. Unfortunately, + the reverse is not true, so the MD5 libraries can't + authenticate passwords that were encrypted with DES.</para> <para>Identifying which library is being used by the programs on your system is easy as well. Any program that uses crypt is linked >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005232214.SAA72870>