Linux crypt functions

Source: Internet
Author: User
Tags crypt

Linux crypt function 1. Crypt definition

#define _XOPEN_SOURCE/* See Feature_test_macros (7) */
#include <unistd.h >
Char *crypt (const char *key, const char *salt);

Above is the definition of crypt function seen by Man 3 crypt.
See from the definition that you want to use the Crypt function then you have to define the _xopen_source macro, some people just include unistd.h in, and then found that the compile time crypt undefined situation occurs.

2. Key, salt

As mentioned in Tlpi , the Crypt () algorithm accepts a key (that is, key) up to 8 characters long and is applied to a variant of the Data encryption Algorithm (DES). The salt parameter points to a two-character string that is used to disturb (change) the DES algorithm. The function returns a pointer to a string of 13 characters in length. ", this seemingly simple description of the crypt function gives me a sudden two questions:

  1. Can the crypt function handle a maximum of 8-character keys? Does that mean crypt ("liulaogen123", "Salt") ==crypt ("liulaogen234", "salt")?

  2. Can a salt be up to two characters? That's a very limited combination of salt, and it's very weak to prevent collisions.

"Practice is the only criterion for testing truth," then we use code to verify my question:

/************************************************************************* > File name:auth.c > Author:l XG > Mail: [email protected] > Created time:2015 June 28 Sunday 10:27 19 seconds *************************************** *********************************/#define _xopen_source#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <string.h>#include <errno.h>intMainintargcChar*argv[]) {if(ARGC! =3)    {fprintf(stderr,'%s Salt key\n ', argv[0]);return 1; }Char*encrypted = NULL;if(Encrypted = crypt (argv[2], argv[1]) = = NULL) {fprintf(stderr,"Crypt error:%s\n", Strerror (errno)); }printf("%s encrypted:%s\n", argv[2], encrypted);return 0;}

[email protected]:~/station/tlpi/chapter_8$ ./auth ABC liulaogen123
liulaogen123 ENCRYPTED:ABJHMGH1HAL.6
[email protected]:~/station/tlpi/chapter_8$ ./auth ABC liulaogen234
liulaogen234 ENCRYPTED:ABJHMGH1HAL.6
[email protected]:~/station/tlpi/chapter_8$./auth ABC liulaogn234
liulaogn234 ENCRYPTED:ABJCY/J5FUQVG

From the above output it does validate our first question, Crypt accepts a key of up to 8 characters, and a portion greater than 8 characters is discarded.

[email protected]:~/station/tlpi/chapter_8$ ./auth ABC liulaogn234
liulaogn234 ENCRYPTED:ABJCY/J5FUQVG
[email protected]:~/station/tlpi/chapter_8$ ./auth Abd liulaogn234
liulaogn234 ENCRYPTED:ABJCY/J5FUQVG
[email protected]:~/station/tlpi/chapter_8$ ./auth ACD liulaogn234
liulaogn234 Encrypted:acjljnjy0hjoq

The above example answers the second question, Crypt's salt points to a two-character string, and the portion greater than 2 characters is discarded.
The output from the above two examples is a string of 13 characters long, regardless of the input output.

3. Algorithms for Crypt

Crypt default use of the key length of the 56bit variant des algorithm, we know that 56bit des encryption in the now increasingly strong software and hardware conditions are easily cracked, in the Crypt Man Manual also gives warning:

Warning:the key space consists of 2**56 equal 7.2e16 possible values. Exhaustive searches of this key space is possible using massively parallel computers. Software, such as crack (1), is available which would search the portion of this key space that's generally used by humans for passwords. Hence, password selection should, at minimum, avoid common words and names. The use of a passwd (1) program, checks for crackable passwords during, the selection process is recommended.

So crypt have any other algorithms? Because this function is basically useless from the above key, salt section, and the DES algorithm that is used by default, our great Linux should not allow such a weak thing to exist. So let's go down to the Man manual, and in notes we find the more powerful part of crypt that supports additional cryptographic algorithms in the GLIBC2 version of the crypt function .
Crypt The additional encryption algorithms supported by MD5, Blowfish (some specific Linux system support), SHA-256 (glibc2.7 start), SHA-512 (glibc2.7 start), how to differentiate these additional cryptographic algorithms? That is, by salt to differentiate, if the salt with "$ID$salt$encrypted" format, then the different values of the ID will choose different encryption algorithm to replace the default DES algorithm, The format of the ID is as follows:

          ID  | Method          ─────────────────────────────────────────────          1   | MD5          2a  | Blowfish (not in mainline glibc; added in some              | Linux distributions)          5   | SHA-256 (since glibc 2.7)          6   | SHA-512 (since glibc 2.7)

$5$salt$encrypted Salt represents the crypt function using the SHA-256 encryption algorithm
$6$salt$encrypted Salt represents the crypt function using the SHA-512 encryption algorithm
Salt $ Salt supports a string of up to 16 characters in length, with a large improvement over the default DES algorithm support up to 2 characters. The return value of the last crypt has different lengths of strings returned depending on the encryption algorithm.

   MD5     | 22 characters   SHA-256 | 43 characters   SHA-512 | 86 characters
4. Linux Password verification

We can look at the encryption algorithm used in the password verification in Linux (Ubuntu), how to determine it? In fact, it is very simple to view the password encryption part of the/etc/shadown file to know:

$6$at9hfdri$btr371etsbzrri3e3d229bedn8g97shpktucdgk2glb2nj2kwtxpmy0wbx A0XN2395LAGX6LTLNBKVVZGXJHC.

Above is the part of the password that I intercepted in My Computer shadow file root user, from here can see that Ubuntu is using AES-512 encryption algorithm.
About password recommended Everyone read this article: passwords

Linux crypt functions

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.