Re: Hashed PW's more secure than encrypted PW's?

From: Matti Juhani Kurkela (Matti.Kurkela@hut.fi)
Date: 06/18/02 

From: Matti Juhani Kurkela <Matti.Kurkela@hut.fi>
Date: 18 Jun 2002 16:01:14 +0300

"A Chan" <achanjunk@yahoo.com> writes:

> "Casper H.S. ***" <Casper.***@Sun.COM> ¼¶¼g©ó¶l¥ó
> news:aelia9$lh2$1@news1.xs4all.nl...
> >
> > The most common variant encrypts one block of 0s using a modified
> > version of DES (the SALT is used to modify the "E" table slightly),
> > 25 times.

[snip]

> However my question directs to hashing. As I follow this discussion, I
> understand that every single password generated has a unique key following,
> through hashing. So if "joeblogg's" password has been cracked, the private
> key that used to crack joeblogg's password can't be used to crack other
> password. However, where does all these private keys get stored? Does the
> file get further encrypted? How does MD5 work for this?

DES is not a public/private-key algorithm. It has only one key which
is used both in encrypting and decrypting.

However, the way the algorithm is used when storing the passwords is
not the obvious one. When "joeblogg" sets himself a new password, the
system encrypts a string of zeroes ("00000000") using a random salt
and joeblogg's new password _as the encryption key_.

The salt and the encrypted string are then stored in the password
file. The (hopefully only) place the encryption key is stored is
inside joeblogg's head.

When joeblogg logs in again, the system asks for his password, reads
his salt from the password file and again encrypts a string of zeroes.
If the result is the same as the encrypted string stored in the
password file, joeblogg has supplied a correct password and is allowed
to access the system.

If someone ever finds out a way to crack DES without the encryption
key, cracking the encryption of any Unix password reveals only a
string "00000000", which does not help a lot. The cracking method
_must_ be such that it gives the cracker the original key used in
encrypting, for _that_ is the actual, plain-text password.
Regardless of the method used, every password must be cracked
separately: cracking one password does not offer significant help
in cracking another.

The salt is used in the algorithm to keep people from noticing that
user A and user B have the same password. (Remember, the Unix
passwords used to be stored in a file readable by anyone.)
If the salt is different, the encryption result is completely
different even if the actual plain-text password is the same.

Some modern Unix password systems allow the MD5 algorithm used in
stead of the old DES. MD5 is a message-digest algorithm, i.e. it
produces a fixed-length, cryptographically secure "digest" from any
input. There should be no easy way to go backwards through the
algorithm and recover the original input from the digest. MD5 does not
need any "encryption key" as such.

As far as I know, when using MD5 for Unix password storage, a salt
string is also used. I don't think that the salt is used to modify the
MD5 algorithm itself: it is probably appended to the plaintext
password. The password+salt combination is then run through the MD5
algorithm, and the result is stored in the password file (or compared
to the one already there, if verifying a password). The
salt is also stored unencrypted in the password file, because it is
needed when a password is being verified.

The advantage of MD5 is that it allows using passwords of any length
with no complications in the algorithm. With DES, there is no obvious
standard way to use a longer password. (Would you use a longer string
of zeroes, and if so, how the length is chosen? Or would you split the
password in 8-character parts and use different parts as the
encryption key in different rounds of the DES algorithm? Or any
combination of these? Or something else entirely?) 

-- 
Matti.Kurkela@hut.fi

Quantcast