Re: Hashed PW's more secure than encrypted PW's?

From: sakky (sakhalinrf@hotmail.com)
Date: 06/18/02 

From: "sakky" <sakhalinrf@hotmail.com>
Date: Tue, 18 Jun 2002 18:07:49 GMT

Hey, that's far and away the best response I've heard yet. Just have some
questions inline

"Matti Juhani Kurkela" <Matti.Kurkela@hut.fi> wrote in message
news:877kkwyc4l.fsf@ryoko.home...
> "A Chan" <achanjunk@yahoo.com> writes:
>
> > "Casper H.S. ***" <Casper.***@Sun.COM> ¼¶¼g©ó¶l¥ó
> > news:aelia9$lh2$1@news1.xs4all.nl...
> > >
> > > The most common variant encrypts one block of 0s using a modified
> > > version of DES (the SALT is used to modify the "E" table slightly),
> > > 25 times.
>
> [snip]
>
> > However my question directs to hashing. As I follow this discussion, I
> > understand that every single password generated has a unique key
following,
> > through hashing. So if "joeblogg's" password has been cracked, the
private
> > key that used to crack joeblogg's password can't be used to crack other
> > password. However, where does all these private keys get stored? Does
the
> > file get further encrypted? How does MD5 work for this?
>
> DES is not a public/private-key algorithm. It has only one key which
> is used both in encrypting and decrypting.
>
> However, the way the algorithm is used when storing the passwords is
> not the obvious one. When "joeblogg" sets himself a new password, the
> system encrypts a string of zeroes ("00000000") using a random salt
> and joeblogg's new password _as the encryption key_.
>
> The salt and the encrypted string are then stored in the password
> file. The (hopefully only) place the encryption key is stored is
> inside joeblogg's head.
>
> When joeblogg logs in again, the system asks for his password, reads
> his salt from the password file and again encrypts a string of zeroes.
> If the result is the same as the encrypted string stored in the
> password file, joeblogg has supplied a correct password and is allowed
> to access the system.
>
> If someone ever finds out a way to crack DES without the encryption
> key, cracking the encryption of any Unix password reveals only a
> string "00000000", which does not help a lot. The cracking method
> _must_ be such that it gives the cracker the original key used in
> encrypting, for _that_ is the actual, plain-text password.
> Regardless of the method used, every password must be cracked
> separately: cracking one password does not offer significant help
> in cracking another.
>
> The salt is used in the algorithm to keep people from noticing that
> user A and user B have the same password. (Remember, the Unix
> passwords used to be stored in a file readable by anyone.)
> If the salt is different, the encryption result is completely
> different even if the actual plain-text password is the same.

So then this salt must be in plain text somewhere. Where would it be? Can
I see it?

>
>
> Some modern Unix password systems allow the MD5 algorithm used in
> stead of the old DES. MD5 is a message-digest algorithm, i.e. it
> produces a fixed-length, cryptographically secure "digest" from any
> input. There should be no easy way to go backwards through the
> algorithm and recover the original input from the digest. MD5 does not
> need any "encryption key" as such.

Would you happen to know some examples of some Unix flavors that do it this
way as opposed to DES?

>
> As far as I know, when using MD5 for Unix password storage, a salt
> string is also used. I don't think that the salt is used to modify the
> MD5 algorithm itself: it is probably appended to the plaintext
> password. The password+salt combination is then run through the MD5
> algorithm, and the result is stored in the password file (or compared
> to the one already there, if verifying a password). The
> salt is also stored unencrypted in the password file, because it is
> needed when a password is being verified.

Which field is the salt?

>
> The advantage of MD5 is that it allows using passwords of any length
> with no complications in the algorithm. With DES, there is no obvious
> standard way to use a longer password. (Would you use a longer string
> of zeroes, and if so, how the length is chosen? Or would you split the
> password in 8-character parts and use different parts as the
> encryption key in different rounds of the DES algorithm? Or any
> combination of these? Or something else entirely?)
>
> --
> Matti.Kurkela@hut.fi