Browse Source

explain about MD5 and Blowfish passwords.

OPENBSD_2_3
provos 27 years ago
parent
commit
c49dfebbec
1 changed files with 56 additions and 5 deletions
  1. +56
    -5
      src/lib/libc/crypt/crypt.3

+ 56
- 5
src/lib/libc/crypt/crypt.3 View File

@ -1,4 +1,4 @@
.\" $OpenBSD: crypt.3,v 1.6 1997/03/31 02:38:44 deraadt Exp $
.\" $OpenBSD: crypt.3,v 1.7 1997/11/05 11:44:49 provos Exp $
.\" .\"
.\" FreeSec: libcrypt .\" FreeSec: libcrypt
.\" .\"
@ -59,15 +59,19 @@ The
function performs password encryption, based on the function performs password encryption, based on the
.Tn NBS .Tn NBS
Data Encryption Standard (DES). Data Encryption Standard (DES).
Additional code has been added to deter key search attempts.
Additional code has been added to deter key search attempts and to use
stronger hashing algorithms.
The first argument to The first argument to
.Fn crypt .Fn crypt
is a is a
.Dv null Ns -terminated .Dv null Ns -terminated
string, typically a user's typed password. string, typically a user's typed password.
The second is in one of two forms:
The second is in one of three forms:
if it begins with an underscore (``_'') then an extended format is used if it begins with an underscore (``_'') then an extended format is used
in interpreting both the key and the setting, as outlined below.
in interpreting both the key and the setting, as outlined below. If it begins
with an string character (``$'') and a number then a different algorithm
is used depending on the number. At the moment a ``$1'' chooses MD5 hashing
and a ``$2'' chooses Blowfish hashing, see below for more information.
.Ss Extended crypt: .Ss Extended crypt:
.Pp .Pp
The The
@ -88,6 +92,51 @@ This allows 24 bits for both
.Fa count .Fa count
and and
.Fa salt . .Fa salt .
.Ss "MD5" crypt:
.Pp
For
.Tn MD5
crypt the version number,
.Fa salt
and the hashed password are separated
by the ``$'' character. A valid password looks like this:
.Pp
``$1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1''.
.Pp
The whole password string is passed as
.Fa setting
for interpretation.
.Ss "Blowfish" crypt:
.Pp
The
.Tn Blowfish
version of crypt has 128 bits of
.Fa salt
in order to make building
dictionaries of common passwords space consuming. The initial state
of the
.Tn Blowfish
cipher is expanded using the
.Fa salt
and the
.Fa password
repeating the process a variable number of rounds, which is encoded in
the password string. The final password entry is created by encrypting
the string ``OrpheanBeholderScryDoubt'' with the
.Tn Blowfish
state 64 times.
.Pp
The version number, the logarithm of the number of rounds and
the concatenation of salt and
hashed password are separated by the ``$'' character. An encoded ``8''
would specify 64 rounds.
A valid password looks like this:
.Pp
``$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC''.
.Pp
The whole password string is passed as
.Fa setting
for interpretation.
.Ss "Traditional" crypt: .Ss "Traditional" crypt:
.Pp .Pp
The first 8 bytes of the key are null-padded, and the low-order 7 bits of The first 8 bytes of the key are null-padded, and the low-order 7 bits of
@ -101,7 +150,7 @@ Thus only 12 bits of
are used. are used.
.Fa count .Fa count
is set to 25. is set to 25.
.Ss Algorithm:
.Ss DES Algorithm:
.Pp .Pp
The The
.Fa salt .Fa salt
@ -210,7 +259,9 @@ functions all manipulate the same key space.
.Sh SEE ALSO .Sh SEE ALSO
.Xr login 1 , .Xr login 1 ,
.Xr passwd 1 , .Xr passwd 1 ,
.Xr blowfish 3 ,
.Xr getpass 3 , .Xr getpass 3 ,
.Xr md5 3 ,
.Xr passwd 5 .Xr passwd 5
.Sh BUGS .Sh BUGS
The The


Loading…
Cancel
Save