Date: Tue, 23 May 2000 18:14:02 -0400 (EDT) From: Lowell Gilbert <lowell@world.std.com> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/18783: more password-format text Message-ID: <200005232214.SAA72870@be-well.ilk.org>
next in thread | raw e-mail | index | archive | help
>Number: 18783
>Category: docs
>Synopsis: more hammering on the DES-vs-MD5 text
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 23 15:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Lowell Gilbert
>Release: FreeBSD 4.0-STABLE i386
>Organization:
the Ilk
>Environment:
handbook security chapter
>Description:
Further explanation of a couple of points that have come up lately on
the mailing lists (or was it newsgroup?).
Also, I fixed a few grammar nits.
This covers some of the same ground as my year-and-a-half-old PR
docs/8765, but mostly not. That one probably belongs in the FAQ,
anyway.
>How-To-Repeat:
n/a
>Fix:
*** chapter.sgml~ Sat May 6 16:21:57 2000
--- chapter.sgml Tue May 23 18:09:19 2000
***************
*** 742,755 ****
<para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March
2000.</emphasis></para>
! <para>Every user on a UNIX system has a password associated with their
! account, obviously these passwords need to be known only to
! the user and the actual operating system. In order to keep
! these passwords secret, they are encrypted with what is known
! as a 'one-way hash', that is, they can only be easily encrypted
! but not decrypted. The only way to get the password is by
! brute force searching the space of possible passwords.
! Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
the US, but since the source code for DES cannot be exported
--- 742,762 ----
<para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March
2000.</emphasis></para>
! <para>Every user on a UNIX system has a password associated with
! their account. It seems obvious that these passwords need to be
! known only to the user and the actual operating system. In
! order to keep these passwords secret, they are encrypted with
! what is known as a 'one-way hash', that is, they can only be
! easily encrypted but not decrypted. In other words, what we
! told you a moment ago was obvious isn't even true: the operating
! system itself doesn't <emphasis>really</emphasis> know the
! password. It only knows the <emphasis>encrypted</emphasis> form
! of the password. The only way to get the 'plain-text' password
! is by a brute force search of the space of possible
! passwords.</para>
!
!
! <para>Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
the US, but since the source code for DES cannot be exported
***************
*** 761,767 ****
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
! use MD5 as it's default encryption method.</para>
<sect2>
<title>Recognizing your crypt mechanism</title>
--- 768,776 ----
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
! use MD5 as its default encryption method. MD5 is believed to
! be more secure than DES, so installing DES is offered primarily
! for compatibility reasons.</para>
<sect2>
<title>Recognizing your crypt mechanism</title>
***************
*** 777,782 ****
--- 786,799 ----
alphabet which does not include the <literal>$</literal>
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.</para>
+
+ <para>The libraries can identify the passwords this way as
+ well. As a result, the DES libraries are able to identify MD5
+ passwords, and use MD5 to check passwords that were encrypted
+ that way, and DES for the rest. They are able to do this
+ because the DES libraries also contain MD5. Unfortunately,
+ the reverse is not true, so the MD5 libraries can't
+ authenticate passwords that were encrypted with DES.</para>
<para>Identifying which library is being used by the programs on
your system is easy as well. Any program that uses crypt is linked
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005232214.SAA72870>