Using Cracklib to build secure UNIX passwords

As the most popular server operating system on the Internet, UNIX security has attracted much attention. The security of UNIXD is mainly realized by password, therefore, the UNIX password encryption algorithm has improved several times, now commonly used des algorithm for password file 25 encryption, and the result of each DES encryption, to use 2 of the 56 times to find and match to do a traversal, to crack such a password, The amount of work is huge, so theoretically this password is quite safe. Unfortunately, however, we still hear the message that the password is compromised. How are these passwords compromised, and how can we guarantee the security of passwords? The following is a discussion of this issue.

The format and security mechanism of UNIX password file

The UNIX password file passwd is an encrypted text file, stored in the/etc directory. This file is used to verify the user's password when the user logs on, and only write to root permissions. Each line in the password file represents a user entry in the format: LOGNAME:PASSWORD:UID:GID:USERINFO:HOME:SHELL. The first two items in each row are logins and encrypted passwords, and the UID and GID are the ID numbers of the user and the ID number of the user's group, UserInfo is the information written by the system administrator about the user, home is a pathname, is the main directory assigned to the user, The shell is the shell that the user will execute after logging in (the default is/bin/sh if it is a space). At present, in most UNIX systems, the password files have been shadow transformed, that is, to separate the password domain in the/etc/passwd file, to exist/etc/shadow files, and to strengthen the protection of shadow to enhance the password security.

The UNIX system uses a one-way function crypt () to encrypt the user's password. Crypt () is an encryption algorithm based on DES, which uses the password entered by the user as the key, encrypts a 64bit 0/1 string, encrypts the result and encrypts the user's password again, and repeats the process 25 times altogether. The final output is a 13byte string that is stored in the/etc/passwd password domain. The one-way function crypt () from the mathematical principle to ensure that the encryption from the encrypted ciphertext before the plaintext is impossible or very difficult. When the user log in, the system is not to decrypt the encrypted password, but to the input password plaintext string to the encryption function, the output of the encryption function and the/etc/passwd file in the password domain of the user entries, if the matching success, then allow users to log on the system.

Password cracking principles

Password cracking is usually a brute force attack and a dictionary attack of two ways. A total of [0x00~0xff] in Unix has a total of 128 characters, of which 95 characters (10 (digits) +33 (punctuation) +26*2 (uppercase and lowercase) can be used as the character of the password. Assuming M is the size of the possible character set, n is the length of the password, the number of passwords that can be generated is n power of M, and the number of password attack attempts increases rapidly as the character set expands and the password length increases. If the password length is 6, take the letter and the number combination, the likelihood is 62 6 power 56,800,235,584. But if 5 letters is a common Chinese character pinyin or English words, estimate the commonly used words about 10,000, from 10,000 common words to take a word with any number of characters combined into a password, then only 10000*10=100000 (100,000 possible). In the password setting process, there are many personal factors at work, in order to make their password easy to remember, many people often will be personal name, birthday, telephone number, street number as the password, so that the password for the break left the door. R.morris and K.thompson, a computer security expert at Bell Labs, presented the possibility of an attack that could be based on a user's information to create a dictionary of the passwords he might use. For example: His father's name, girlfriend's birthday or name, the name of the street and so on. The dictionary is then encrypted, each time a cryptographically calculated entry is compared to the password file, and if the same, the password is guessed. Perhaps some people think that the password is not the law, the dictionary can not be, the computer can not decipher, that is wrong. There are many programs that specialize in creating dictionaries, such as Dictmake, Txt2dict, Xkey, and so on. Take Dictmake as an example: After starting the program, the computer will require the minimum password length, the maximum password length, the password contains lowercase characters, uppercase characters, numbers, there are no spaces, including punctuation and special characters and a series of problems. When you have answered the questions raised by the computer, the computer will automatically list all the combinations in a given condition, and this file is the data dictionary. Currently, on the Internet, there are some data dictionaries to download, including entries from 10,000 to hundreds of thousands of. The data dictionary generally contains the commonly used words. Once an attacker obtains a passwd file in some way, the deciphering process can only be accomplished by a simple C program. There is a set of subroutines in Unix that allow easy access to/etc/passwd files. The Getpwuid () function Gets the entry entry for the specified UID from the/etc/passwd file. The Getpwnam () function can get the specified login entry in the/etc/passwd file. These two subroutines return a pointer to the PASSWD structure defined in the/USR/INCLUDe/pwd.h, the definition is as follows:

The following are the referenced contents: structpasswd{ char*pw_name;/* Login Name * * char*pw_passwd;/* Encrypted Password * * uid_tpw_uid;/*uid*/ gid_tpw_gid;/*gid*/ char*pw_age;/* Agent Information * * char*pw_comment;/* Comment * * Char*pw_gecos; char*pw_dir;/* Home Directory */ shell*/used by char*pw_shell;/* shell*/used by char*pw_shell;/* }

Functions such as getpwent (), Setpwent (), endpwent () can be used for subsequent processing of password files. The first call to Getpwent () opens the/etc/passwd file and returns a pointer to the first user entry in the file, and the Getpwent () is returned sequentially to return the user entries in the password file, setpwent () You can reset the password file's pointer to the beginning of the file, Endpwent () to close the password file.

This shows that the attacker only need to create a dictionary file, and then invoke the ready-made cryp () encryption routines to encrypt every item in the dictionary file, and then use the above function to open the password file, the loop comparison is easy to crack the password.

In fact, Internet has a lot of off-the-shelf password cracking software tools, too simple password is easy to crack. So, what do we do to ensure that a user's password is a secure password? It's a good idea to use Cracklib to build secure UNIX passwords.

Cracklib Principle and application

Cracklib is a library of functions for UNIX systems that can be used to write password-related programs. The basic idea is to improve the security of the system by limiting the user's use of passwords that are too simple, easily guessed, or easily searched by some tools.

Cracklib is not a program that can be run directly, it's just a library of functions that can be used to write your own program or join other programs to improve security, such as overwriting passwd and limiting the user's choice of password. Cracklib uses a dictionary that looks up a dictionary to determine if the user's chosen password is a secure password. Users can also add other information and use their own dictionaries. Cracklib is highly efficient by indexing and two-dollar lookups, and its dictionary size is usually only half as large as the equivalent dictionary count. The following describes how to use Cracklib.

1. Constructing Cracklib Dictionary

Cracklib can be easily found on the internet, now using more than 2.7 version, first to determine the path to the dictionary installation, that is, to Dictpath assignment, in the form of directory + dictionary file name (excluding suffixes), such as: dictpath=/usr/local/ Lib/pw_dict.. The value of the variable is used in all programs that call the Cracklib function, and the dictionary file usually includes the/usr/local/lib/pw_dict.pwd,/usr/local/lib/pw_dict.pwi,/usr/local/lib/pw_ DICT.HWM three files.

The Cracklib dictionary can be downloaded directly from the Web, or it can be generated using the tools it provides. If you want to add other information, use your own dictionary, you can put the file containing the new words under the sourcedict directory such as "/usr/dict/words", Cracklib will merge all the files, delete the extra words, compressed into a dictionary file, usually only the original file 40%-60 % of the size.

2, call the function in the program

Cracklib functions can be used in many places, just add a few simple lines of source code, you can get very good results. Char*fascistcheck (Char*pw,char*dictpath) is the most commonly used function in Cracklib. Where PW is the user's chosen password, will be verified to be safe, Dictpath is the path to the dictionary.

Fascistcheck () Returns a null pointer indicating that the password is secure, otherwise the diagnostic string is returned. The following is a simple example of a password setting to illustrate the use of cracklib functions.

The following are the referenced contents: #ifndefCRACKLIB_DICTPATH #defineCRACKLIB_DICTPATH "/usr/local/lib/pw_dict" #endif ... ... ... char*msg; while (1) { Passbuf=getpass ("Please set new password:"); if (!*PASSBUF) { (void) printf ("Password set off, continue using old password \ n"); Break } if (strlen (pussbuf) <=4││!strcmp (Passbuf,newuser.userid)) { (void) printf ("Password is too short or is the same as the user ID, please re-enter \ n"); Continue } if (msg= (char*) Fascistcheck (Passbuf,cracklibpath)) { printf ("Please choose another password!") ( %s) \ n ", msg); Continue } strncpy (Newuser.passwd,passbuf,passlen); Passbuf=getpass ("Please enter your password again);" if (strncmp (Passbuf,newuser.passwd,passlen)!=0) { Prints ("Password input error, please re-enter password. \ n"); Continue } Passbuf[8]= ' "; Break }

This can greatly improve the security of the system by restricting the user from using unsafe passwords.