FreeBSD Bugzilla – Attachment 9110 Details for
Bug 18783
more hammering on the DES-vs-MD5 text
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 3.84 KB, created by
Lowell Gilbert
on 2000-05-23 23:20:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Lowell Gilbert
Created:
2000-05-23 23:20:01 UTC
Size:
3.84 KB
patch
obsolete
>*** chapter.sgml~ Sat May 6 16:21:57 2000 >--- chapter.sgml Tue May 23 18:09:19 2000 >*************** >*** 742,755 **** > <para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March > 2000.</emphasis></para> > >! <para>Every user on a UNIX system has a password associated with their >! account, obviously these passwords need to be known only to >! the user and the actual operating system. In order to keep >! these passwords secret, they are encrypted with what is known >! as a 'one-way hash', that is, they can only be easily encrypted >! but not decrypted. The only way to get the password is by >! brute force searching the space of possible passwords. >! Unfortunately the only secure way to encrypt passwords when > UNIX came into being was based on DES, the Data Encryption > Standard. This is not such a problem for users that live in > the US, but since the source code for DES cannot be exported >--- 742,762 ---- > <para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March > 2000.</emphasis></para> > >! <para>Every user on a UNIX system has a password associated with >! their account. It seems obvious that these passwords need to be >! known only to the user and the actual operating system. In >! order to keep these passwords secret, they are encrypted with >! what is known as a 'one-way hash', that is, they can only be >! easily encrypted but not decrypted. In other words, what we >! told you a moment ago was obvious isn't even true: the operating >! system itself doesn't <emphasis>really</emphasis> know the >! password. It only knows the <emphasis>encrypted</emphasis> form >! of the password. The only way to get the 'plain-text' password >! is by a brute force search of the space of possible >! passwords.</para> >! >! >! <para>Unfortunately the only secure way to encrypt passwords when > UNIX came into being was based on DES, the Data Encryption > Standard. This is not such a problem for users that live in > the US, but since the source code for DES cannot be exported >*************** >*** 761,767 **** > so that US users could install the DES libraries and use > DES but international users still had an encryption method > that could be exported abroad. This is how FreeBSD came to >! use MD5 as it's default encryption method.</para> > > <sect2> > <title>Recognizing your crypt mechanism</title> >--- 768,776 ---- > so that US users could install the DES libraries and use > DES but international users still had an encryption method > that could be exported abroad. This is how FreeBSD came to >! use MD5 as its default encryption method. MD5 is believed to >! be more secure than DES, so installing DES is offered primarily >! for compatibility reasons.</para> > > <sect2> > <title>Recognizing your crypt mechanism</title> >*************** >*** 777,782 **** >--- 786,799 ---- > alphabet which does not include the <literal>$</literal> > character, so a relatively short string which does not begin with > a dollar sign is very likely a DES password.</para> >+ >+ <para>The libraries can identify the passwords this way as >+ well. As a result, the DES libraries are able to identify MD5 >+ passwords, and use MD5 to check passwords that were encrypted >+ that way, and DES for the rest. They are able to do this >+ because the DES libraries also contain MD5. Unfortunately, >+ the reverse is not true, so the MD5 libraries can't >+ authenticate passwords that were encrypted with DES.</para> > > <para>Identifying which library is being used by the programs on > your system is easy as well. Any program that uses crypt is linked
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9110">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 18783
: 9110