Hi Alex,

> Hi Jon,
>
>> $ ./pil lib/adm.l +
>> : (de *Salt 16 . "$6$@1$")
>> -> *Salt
>> : (passwd "somestring")
>> -> "$6bsuufIMFxJE"
>>
>> So it seems that the 'passwd' function is working in 32-bit PicoLisp on
>> Mac, right?
>
> Hmm, yes and no ...
>
> It works, but obviously only with the (worthless) DES algorithm, because
> the generated hash is much too short.
>
> In glibc's crypt() more modern algorithms are supported:
>
>    The glibc2 version of  this  function  supports  additional  encryption
>    algorithms.
>
>    If  salt is a character string starting with the characters "$id$" fol?
>    lowed by a string terminated by "$":
>
>           $id$salt$encrypted
>
>    then instead of using the DES machine,  id  identifies  the  encryption
>    method  used  and  this  then  determines  how the rest of the password
>    string is interpreted.  The following values of id are supported:
>
>           ID  | Method
>           ?????????????????????????????????????????????????????????
>           1   | MD5
>           2a  | Blowfish (not in mainline glibc; added in some
>               | Linux distributions)
>           5   | SHA-256 (since glibc 2.7)
>           6   | SHA-512 (since glibc 2.7)
>
>    So   $5$salt$encrypted   is   an   SHA-256   encoded    password    and
>    $6$salt$encrypted is an SHA-512 encoded one.
>
>    "salt" stands for the up to 16 characters following "$id$" in the salt.
>    The encrypted part of the password string is the actual computed  pass?
>    word.  The size of this string is fixed:
>
>    MD5     | 22 characters
>    SHA-256 | 43 characters
>    SHA-512 | 86 characters
>
> So when passing a salt with the "$6$@1$" pattern would generate a
> SHA-512 hash with a total of 106 characters (86 plus the salt).
>
> The DES algorithm has nowadays no practical use.
>
> The old crypt() function uses only the first two characters of the salt,
> that's why we see
>
>> : (passwd "somestring")
>> -> "$6bsuufIMFxJE"
>
> i.e. the first two characters "$6" in the generated hash. crypt()
> obviously didn't understand the special encoding of the salt.
>
> Do you think that on the Mac some other version of crypt() is available?
> There must be some secure hash function too.
>
> ?? Alex

I'm not shure what kind of crypt() functions that's available on the Mac,
but if I use 'irb' (i.e. Ruby 1.8.7) with OSX 10.8.3, then I get this:

>> "somestring".crypt("$6$@1$")
=> "$6bsuufIMFxJE"

.. the same (worthless) DES algorithm. I'll try to find out more about
this, a little later.

/Jon

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Reply via email to