485 lines
11 KiB
Groff
485 lines
11 KiB
Groff
.\" $NetBSD: crypt.3,v 1.35 2023/01/17 14:27:11 uwe Exp $
|
|
.\"
|
|
.\" Copyright (c) 1989, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)crypt.3 8.2 (Berkeley) 12/11/93
|
|
.\"
|
|
.Dd October 20, 2021
|
|
.Dt CRYPT 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm crypt ,
|
|
.Nm setkey ,
|
|
.Nm encrypt ,
|
|
.Nm des_setkey ,
|
|
.Nm des_cipher
|
|
.Nd password hashing
|
|
.Sh LIBRARY
|
|
.Lb libcrypt
|
|
.Sh SYNOPSIS
|
|
.In unistd.h
|
|
.Ft "char *"
|
|
.Fn crypt "const char *key" "const char *setting"
|
|
.Ft int
|
|
.Fn encrypt "char *block" "int flag"
|
|
.Ft int
|
|
.Fn des_setkey "const char *key"
|
|
.Ft int
|
|
.Fn des_cipher "const char *in" "char *out" "long salt" "int count"
|
|
.In stdlib.h
|
|
.Ft int
|
|
.Fn setkey "const char *key"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn crypt
|
|
function
|
|
performs password hashing.
|
|
The password hashing scheme used by
|
|
.Fn crypt
|
|
is dependent upon the contents of the
|
|
.Tn NUL Ns -terminated
|
|
string
|
|
.Ar setting .
|
|
If it begins
|
|
with a string character
|
|
.Pq Ql $
|
|
and a number then a different algorithm is used depending on the number.
|
|
At the moment a
|
|
.Ql $1
|
|
chooses MD5 hashing and a
|
|
.Ql $2
|
|
chooses Blowfish hashing; see below for more information.
|
|
If
|
|
.Ar setting
|
|
begins with the
|
|
.Ql _
|
|
character,
|
|
.Tn DES
|
|
password hashing with a user specified number of
|
|
perturbations is selected.
|
|
If
|
|
.Ar setting
|
|
begins with any other character,
|
|
.Tn DES
|
|
password hashing with a fixed
|
|
number of perturbations is selected.
|
|
.Ss DES password hashing
|
|
The
|
|
.Tn DES
|
|
password hashing scheme is derived from the
|
|
.Tn NBS
|
|
Data Encryption Standard.
|
|
Additional code has been added to deter key search attempts and to use
|
|
stronger hashing algorithms.
|
|
In the
|
|
.Tn DES
|
|
case, the second argument to
|
|
.Fn crypt
|
|
is a character array, 9 bytes in length, consisting of an underscore
|
|
.Pq Ql _
|
|
followed by 4 bytes of iteration count and 4 bytes of salt.
|
|
Both the iteration
|
|
.Fa count
|
|
and the
|
|
.Fa salt
|
|
are encoded with 6 bits per character, least significant bits first.
|
|
The values 0 to 63 are encoded by the characters
|
|
.Ql ./0-9A-Za-z ,
|
|
respectively.
|
|
.Pp
|
|
The
|
|
.Fa salt
|
|
is used to induce disorder in to the
|
|
.Tn DES
|
|
algorithm
|
|
in one of 16777216
|
|
possible ways
|
|
(specifically, if bit
|
|
.Em i
|
|
of the
|
|
.Ar salt
|
|
is set then bits
|
|
.Em i
|
|
and
|
|
.Em i+24
|
|
are swapped in the
|
|
.Tn DES
|
|
.Dq E
|
|
box output).
|
|
The
|
|
.Ar key
|
|
is divided into groups of 8 characters (a short final group is null-padded)
|
|
and the low-order 7 bits of each character (56 bits per group) are
|
|
used to form the
|
|
.Tn DES
|
|
key as follows: the first group of 56 bits becomes the initial
|
|
.Tn DES
|
|
key.
|
|
For each additional group, the XOR of the group bits and the encryption of the
|
|
.Tn DES
|
|
key with itself becomes the next
|
|
.Tn DES
|
|
key.
|
|
Then the final
|
|
.Tn DES
|
|
key is used to perform
|
|
.Ar count
|
|
cumulative encryptions of a 64-bit constant yielding a
|
|
.Sq ciphertext .
|
|
The value returned is a
|
|
.Tn NUL Ns -terminated
|
|
string, 20 bytes in length, consisting
|
|
of the
|
|
.Ar setting
|
|
followed by the encoded 64-bit
|
|
.Sq ciphertext .
|
|
.Pp
|
|
For compatibility with historical versions of
|
|
.Fn crypt ,
|
|
the
|
|
.Ar setting
|
|
may consist of 2 bytes of salt, encoded as above, in which case an
|
|
iteration
|
|
.Ar count
|
|
of 25 is used, fewer perturbations of
|
|
.Tn DES
|
|
are available, at most 8
|
|
characters of
|
|
.Ar key
|
|
are used, and the returned value is a
|
|
.Tn NUL Ns -terminated
|
|
string 13 bytes in length.
|
|
.Pp
|
|
The
|
|
functions
|
|
.Fn encrypt ,
|
|
.Fn setkey ,
|
|
.Fn des_setkey
|
|
and
|
|
.Fn des_cipher
|
|
allow limited access to the
|
|
.Tn DES
|
|
algorithm itself.
|
|
The
|
|
.Ar key
|
|
argument to
|
|
.Fn setkey
|
|
is a 64 character array of
|
|
binary values (numeric 0 or\~1).
|
|
A 56-bit key is derived from this array by dividing the array
|
|
into groups of 8 and ignoring the last bit in each group.
|
|
.Pp
|
|
The
|
|
.Fn encrypt
|
|
argument
|
|
.Fa block
|
|
is also a 64 character array of
|
|
binary values.
|
|
If the value of
|
|
.Fa flag
|
|
is 0,
|
|
the argument
|
|
.Fa block
|
|
is encrypted, otherwise it
|
|
is decrypted.
|
|
The encryption or decryption is returned in the original
|
|
array
|
|
.Fa block
|
|
after using the
|
|
key specified
|
|
by
|
|
.Fn setkey
|
|
to process it.
|
|
.Pp
|
|
The
|
|
.Fn des_setkey
|
|
and
|
|
.Fn des_cipher
|
|
functions are faster but less portable than
|
|
.Fn setkey
|
|
and
|
|
.Fn encrypt .
|
|
The argument to
|
|
.Fn des_setkey
|
|
is a character array of length 8.
|
|
The
|
|
.Em least
|
|
significant bit in each character is ignored and the next 7 bits of each
|
|
character are concatenated to yield a 56-bit key.
|
|
The function
|
|
.Fn des_cipher
|
|
encrypts (or decrypts if
|
|
.Fa count
|
|
is negative) the 64-bits stored in the 8 characters at
|
|
.Fa in
|
|
using
|
|
.Xr abs 3
|
|
of
|
|
.Fa count
|
|
iterations of
|
|
.Tn DES
|
|
and stores the 64-bit result in the 8 characters at
|
|
.Fa out .
|
|
The
|
|
.Fa salt
|
|
specifies perturbations to
|
|
.Tn DES
|
|
as described above.
|
|
.Ss MD5 password hashing
|
|
For the
|
|
.Tn MD5
|
|
password hashing scheme, the version number (in this case
|
|
.Ql 1 ) ,
|
|
.Fa salt
|
|
and the hashed password are separated
|
|
by the
|
|
.Ql $
|
|
character.
|
|
An encoded password hash looks like:
|
|
.Pp
|
|
.Dl "$1$2qGr5PPQ$eT08WBFev3RPLNChixg0H"
|
|
.Pp
|
|
The entire encoded MD5 password hash is passed as
|
|
.Fa setting
|
|
for interpretation.
|
|
.Ss Argon2 password hashing
|
|
Argon2 is a memory-hard password hashing algorithm.
|
|
.Fn crypt
|
|
provides all three variants: argon2i, argon2d, and argon2id.
|
|
It is recommended to use argon2id, which provides a hybrid combination
|
|
using argon2i on the first pass, and argon2d on the remaining
|
|
passes.
|
|
We parameterize on three variables.
|
|
First,
|
|
.Va m_cost ( Li m ) ,
|
|
specifies the memory usage in
|
|
.Tn KB .
|
|
Second,
|
|
.Va t_cost ( Li t ) ,
|
|
specifies the number of iterations.
|
|
Third,
|
|
.Va parallelism ( Li p )
|
|
specifies the number of threads.
|
|
This is currently ignored and one thread will always be used.
|
|
An encoded Argon2 password hash looks like:
|
|
.Bd -literal -offset indent
|
|
$argon2id$v=19$m=4096,t=6,p=1$qCatF9a1s/6TgcYB$ \e
|
|
yeYYrU/rh7E+LI2CAeHTSHVB3iO+OXiNIUHu6NPeTfo
|
|
.Ed
|
|
.Pp
|
|
containing five fields delimited by
|
|
.Ql $ .
|
|
The fields, in order, are variant name, version, parameter set,
|
|
128-bit salt, and Argon2 hash encoded in base64.
|
|
The entire encoded Argon2 password hash is required to be processed
|
|
correctly.
|
|
.Ss "Blowfish" bcrypt
|
|
The
|
|
.Tn Blowfish
|
|
version of
|
|
.Fn crypt
|
|
has 128 bits of
|
|
.Fa salt
|
|
in order to make building dictionaries of common passwords space consuming.
|
|
The initial state of the
|
|
.Tn Blowfish
|
|
cipher is expanded using the
|
|
.Fa salt
|
|
and the
|
|
.Fa password
|
|
repeating the process a variable number of rounds, which is encoded in
|
|
the password hash.
|
|
The maximum password length is 72.
|
|
The final Blowfish password output is created by encrypting the string
|
|
.Pp
|
|
.Dl OrpheanBeholderScryDoubt
|
|
.Pp
|
|
with the
|
|
.Tn Blowfish
|
|
state 64 times.
|
|
.Pp
|
|
The version number, the logarithm of the number of rounds and
|
|
the concatenation of salt and hashed password are separated by the
|
|
.Ql $
|
|
character.
|
|
An encoded
|
|
.Sq 8
|
|
would specify 256 rounds.
|
|
An encoded Blowfish password hash looks like:
|
|
.Pp
|
|
.Dl "$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC"
|
|
.Pp
|
|
The entire encoded Blowfish password hash is passed as
|
|
.Fa setting
|
|
for interpretation.
|
|
.Sh RETURN VALUES
|
|
The function
|
|
.Fn crypt
|
|
returns a pointer to the encoded hash on success.
|
|
.Pp
|
|
The behavior of
|
|
.Fn crypt
|
|
on errors isn't well standardized.
|
|
Some implementations simply can't fail (unless the process dies, in which
|
|
case they obviously can't return), others return
|
|
.Dv NULL
|
|
or a fixed string.
|
|
Most implementations don't set
|
|
.Va errno ,
|
|
but some do.
|
|
.St -susv2
|
|
specifies
|
|
only returning
|
|
.Dv NULL
|
|
and setting
|
|
.Va errno
|
|
as a valid behavior, and defines
|
|
only one possible error
|
|
.Er ( ENOSYS ,
|
|
.Dq "The functionality is not supported on this implementation." )
|
|
Unfortunately, most existing applications aren't prepared to handle
|
|
.Dv NULL
|
|
returns from
|
|
.Fn crypt .
|
|
The description below corresponds to this implementation of
|
|
.Fn crypt
|
|
only.
|
|
The behavior may change to match standards, other implementations or existing
|
|
applications.
|
|
.Pp
|
|
.Fn crypt
|
|
may only fail (and return) when passed an invalid or unsupported
|
|
.Fa setting ,
|
|
in which case it returns a pointer to a magic string that is shorter than 13
|
|
characters and is guaranteed to differ from
|
|
.Fa setting .
|
|
This behavior is safe for older applications which assume that
|
|
.Fn crypt
|
|
can't fail, when both setting new passwords and authenticating against
|
|
existing password hashes.
|
|
.Pp
|
|
The functions
|
|
.Fn setkey ,
|
|
.Fn encrypt ,
|
|
.Fn des_setkey ,
|
|
and
|
|
.Fn des_cipher
|
|
return 0 on success and 1 on failure.
|
|
Historically, the functions
|
|
.Fn setkey
|
|
and
|
|
.Fn encrypt
|
|
did not return any value.
|
|
They have been provided return values primarily to distinguish
|
|
implementations where hardware support is provided but not
|
|
available or where the
|
|
.Tn DES
|
|
encryption is not available due to the
|
|
usual political silliness.
|
|
.Sh SEE ALSO
|
|
.Xr login 1 ,
|
|
.Xr passwd 1 ,
|
|
.Xr pwhash 1 ,
|
|
.Xr getpass 3 ,
|
|
.Xr md5 3 ,
|
|
.Xr passwd 5 ,
|
|
.Xr passwd.conf 5
|
|
.Rs
|
|
.%T "Argon2: the memory-hard function for password hashing and other applications"
|
|
.%A Alex Biryukov
|
|
.%A Daniel Dinu
|
|
.%A Dmitry Khovratovich
|
|
.%D 2017
|
|
.%I University of Luxembourg
|
|
.%U https://www.password-hashing.net/
|
|
.Re
|
|
.Rs
|
|
.%T "Mathematical Cryptology for Computer Scientists and Mathematicians"
|
|
.%A Wayne Patterson
|
|
.%D 1987
|
|
.%N ISBN 0-8476-7438-X
|
|
.Re
|
|
.Rs
|
|
.%T "Password Security: A Case History"
|
|
.%A R. Morris
|
|
.%A Ken Thompson
|
|
.%J "Communications of the ACM"
|
|
.%V vol. 22
|
|
.%P pp. 594-597
|
|
.%D Nov. 1979
|
|
.Re
|
|
.Rs
|
|
.%T "DES will be Totally Insecure within Ten Years"
|
|
.%A M.E. Hellman
|
|
.%J "IEEE Spectrum"
|
|
.%V vol. 16
|
|
.%P pp. 32-39
|
|
.%D July 1979
|
|
.Re
|
|
.Sh HISTORY
|
|
A rotor-based
|
|
.Fn crypt
|
|
function appeared in
|
|
.At v6 .
|
|
The current style
|
|
.Fn crypt
|
|
first appeared in
|
|
.At v7 .
|
|
.Sh BUGS
|
|
Dropping the
|
|
.Em least
|
|
significant bit in each character of the argument to
|
|
.Fn des_setkey
|
|
is ridiculous.
|
|
.Pp
|
|
The
|
|
.Fn crypt
|
|
function leaves its result in an internal static object and returns
|
|
a pointer to that object.
|
|
Subsequent calls to
|
|
.Fn crypt
|
|
will modify the same object.
|
|
.Pp
|
|
Before
|
|
.Nx 6.0
|
|
.Fn crypt
|
|
returned either
|
|
.Dv NULL
|
|
or
|
|
.Li \*q:\*q
|
|
on error.
|
|
.Pp
|
|
The term
|
|
.Sq encryption
|
|
for password hashing does not match the terminology of modern
|
|
cryptography, but the name of the library is entrenched.
|
|
.Pp
|
|
A library for password hashing has no business directly exposing the
|
|
.Tn DES
|
|
cipher itself, which is obsolete and broken as a cipher.
|