Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84 exptools; site ho95e.UUCP Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxt!houxm!ho95e!wcs From: wcs@ho95e.UUCP (Bill.Stewart.4K435.x0705) Newsgroups: net.unix,net.micro.pc,net.crypt Subject: Re: Non-ATT 'crypt(3)' Message-ID: <357@ho95e.UUCP> Date: Thu, 19-Dec-85 19:58:29 EST Article-I.D.: ho95e.357 Posted: Thu Dec 19 19:58:29 1985 Date-Received: Fri, 20-Dec-85 06:16:39 EST References: <124@suneast.uucp> <717@decuac.UUCP> <435@brl-tgr.ARPA> <522@uel> <125@suneast.uucp> Reply-To: wcs@ho95e.UUCP (Bill Stewart ( 1-201-949-0705 ihnp4!ho95c!wcs )) Organization: AT&T Bell Labs, Holmdel NJ Lines: 26 Xref: watmath net.unix:6682 net.micro.pc:6290 net.crypt:492 Summary: In article <125@suneast.uucp> geoff@suneast.uucp (Geoff Arnold) writes: >Alex Osadzinski, Unix Europe Ltd, London, England >writes: >> ... Further, any competent programmer >> can reproduce the crypt(3) code in an afternoon from a functional description. > >Oh really? The problem is, the only functional description other than the >code is the 'crypt(3)' man page, which vaguely says that the 'salt' is >"used to perturb the DES algorithm in one of 4096 different ways". Can you >deduce the algorithm without looking at the code? The important thing is to get the interface right; for normal applications it's unnecessary to pass crypt(3)'ed passwords between systems; if you depend on that then propagate your own crypt routine as well as your application. The salt business has two main purposes: - make it impossible to use DES hardware to decrypt (software is much slower, and if the speculated-about NSA trapdoor exists, this may make it fail.) - produce different cyphertexts for identical plaintext encrypted with identical keys - this makes cryptanalysis much more difficult, and makes it hard to tell that you're using the same passwords on N different machines. As long as you've got the interfaces correct, the internals don't really matter much. -- # Bill Stewart, AT&T Bell Labs 2G-202, Holmdel NJ 1-201-949-0705 ihnp4!ho95c!wcs