Date: Fri, 1 Jun 2001 23:44:49 -0400 From: Spike Gronim <william@brainlink.com> To: freebsd-hackers@freebsd.org Subject: The design of the MD5 crypt() in FreeBSD Message-ID: <20010601234448.A12479@spike.gronim.com>
next in thread | raw e-mail | index | archive | help
Hey.
I was asked a question about the use of salts in password files
recently, and it prompted me to look up exactly how FreeBSD uses the salt. The
'DES Extended Format' salt is described in the man page and makes sense to me.
However, the MD5 hash's use of the salt is not spelled out in the man page.
I understand the literal meaning of /usr/src/lib/libcrypt/crypt-md5.c,
and the algorithm it uses to create it's output. However, I do not understand
the design criteria or functional purpose of several elements of the process.
Before iterating 1000 times, the password, salt, and "magic string"
are all hashed. Then, the hash of these three things is hashed in to the first
hash of those three things. What is the purpose of incorporating the hash
back in to itself?
Then, "something really wierd" (line 124,
/usr/src/lib/libcrypt/crpt-md5.c). The length of the password is right shifted
by 1 untill it is 0, and at every iteration of this one character of either
the previous hash ("final") or the first character of the password is hashed
in to the evolving hash of the password. But, just before this (on line 122) the
output of the previous hash was zeroed so as not to leave traces in memory. Is
the use of a single '0', or alternatively only the first character of the
password intentional? Was this derived as a suitably complex transformation
designed to occupy CPU cycles in a brute force attack, or does it accomplish
some specific cryptographic purpose?
During the 1000 iterations of MD5 performed during this crypt()
operation, the per-iteration hash is update selectively based on the iteration
number. Two of these updates seem to be exactly the same (the updates on lines
145-148 and on lines 156-159). Is this redundancy intentional? How were the
other updates to the per-iteration hash chosen?
Also, is the method of transcribing the final MD5 output in to a
base 64 password hash chosen to "whiten" the hash? (that is, obscure the last
round from the attacker). Thanks.
--
--Spike Gronim
gronimw@stuy.edu
"Oh yes? An obscene triangle which, has more courage than the word."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010601234448.A12479>