Hey.
I was asked a question about the use of salts in password files
recently, and it prompted me to look up exactly how FreeBSD uses the salt. The
'DES Extended Format' salt is described in the man page and makes sense to me.
However, the MD5 hash's use of the salt is not spelled out in the man page.
I understand the literal meaning of /usr/src/lib/libcrypt/crypt-md5.c,
and the algorithm it uses to create it's output. However, I do not understand
the design criteria or functional purpose of several elements of the process.
Before iterating 1000 times, the password, salt, and "magic string"
are all hashed. Then, the hash of these three things is hashed in to the first
hash of those three things. What is the purpose of incorporating the hash
back in to itself?
Then, "something really wierd" (line 124,
/usr/src/lib/libcrypt/crpt-md5.c). The length of the password is right shifted
by 1 untill it is 0, and at every iteration of this one character of either
the previous hash ("final") or the first character of the password is hashed
in to the evolving hash of the password. But, just before this (on line 122) the
output of the previous hash was zeroed so as not to leave traces in memory. Is
the use of a single '0', or alternatively only the first character of the
password intentional? Was this derived as a suitably complex transformation
designed to occupy CPU cycles in a brute force attack, or does it accomplish
some specific cryptographic purpose?
During the 1000 iterations of MD5 performed during this crypt()
operation, the per-iteration hash is update selectively based on the iteration
number. Two of these updates seem to be exactly the same (the updates on lines
145-148 and on lines 156-159). Is this redundancy intentional? How were the
other updates to the per-iteration hash chosen?
Also, is the method of transcribing the final MD5 output in to a
base 64 password hash chosen to "whiten" the hash? (that is, obscure the last
round from the attacker). Thanks.
--
--Spike Gronim
[EMAIL PROTECTED]
"Oh yes? An obscene triangle which, has more courage than the word."
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
