Add Book to My BookshelfPurchase This Book Online

Chapter 16 - Miscellaneous Routines

UNIX Systems Programming for SVR4
David A. Curry
 Copyright © 1996 O'Reilly & Associates, Inc.

Passwords
UNIX password encryption is based on a modified version of the Data Encryption Standard (DES). Contrary to popular belief, the password itself is not encrypted. Rather, the password is used as the key to encrypt a block of zero-valued bytes. The result of this encryption is a 13-character string that is stored in either the password file or the shadow password file (see Chapter 8, Users and Groups).
When a user selects a password, the passwd program chooses two characters at random; this value is called the salt. It then prompts the user for his password, and passes this value and the salt to the crypt function:
    #include <crypt.h>
    char *crypt(const char *key, const char *salt);
The crypt function extracts seven bits from each character of the password, ignoring the parity bit, to form the 56-bit DES key. This implies that no more than eight characters are significant in the password. Next, one of the internal tables in the DES algorithm is permuted in one of 4,096 different ways depending on the value of the salt. The purpose of the salt is to make it more difficult to use DES chips or a precomputed list of encrypted passwords to attack the algorithm (although with current processor speeds and disk capacities, this deterrent is not as significant as it once was). The DES algorithm (with the modified table) is then invoked for 25 iterations on a block of zeros. The output of this encryption, which is 64 bits long, is then coerced into a 64-character alphabet (A-Z, a-z, 0-9, '.', and '/'). Because this coercion involves translations in which several different values are represented by the same character, password encryption is essentially one way; the result cannot be decrypted. The resulting string returned by crypt contains the two-character salt followed by the eleven-character coerced result of the encryption.
When a program prompts the user for a password, it usually uses the getpass function:
    #include <stdlib.h>
    char *getpass(const char *prompt);
This function prints the string contained in prompt, turns off character echo on the terminal, reads the password, and then restores the terminal modes. The typed password is returned. Note that getpass truncates the typed password to at most eight characters.
After prompting for the password, the program looks up the user's password in the password file or shadow password file (if a shadow password file is used, the program must be running with superuser permissions). It then passes the value typed by the user to the crypt function, along with the salt, and compares the result with the value obtained from the password file. If they are the same the user's password was correct. This process is shown below:
    #include <stdlib.h>
    #include <crypt.h>
    char *typed, *encrypted;
    ·
    ·
    ·
    encrypted = /* obtain the encrypted password */;
    typed = getpass("Password: ");
    if (strcmp(crypt(typed, encrypted), encrypted) == 0)
        /* okay... */
    else
        /* not okay... */

Previous SectionNext Section
Books24x7.com, Inc © 2000 –  Feedback