wa371@sdcc12.UUCP (wa371) (05/22/85)
Question posed to the net: How secure is `crypt`? Replies: :::::::::::::::::::: From: Robert W. Baldwin <BALDWIN@MIT-XX.ARPA> Subject: crypt secutiry crypt(1) is about as secure as locking something in a filing cabinet. Anybody who is willing to spend the time studying the details of crypt can figure out how to break it. It takes 2-4 weeks (part time) to write the necessary software. A paper that appeared in the October issue of the Bell Laboritories Technical Journal (1984) by Reed and Weinberger describes some of the more obvious ways to do it. The security can be improved a great deal by compressing a file before encrypting it. I would strongly recommend running compact(1) and then crypt(1) if you value the privacy of your information. --Bob Baldwin ::::::::::::::::::::::: From: Oliver Sharp <dcdwest!ittvax!decvax!yale!sharp@sdcsvax.sdcc12> Hi - not very. Read the October, 1984 issue of the Bell Labs Technical Journal (it might be AT&T Technical Journal; it changed names and I forget which one this was). There is an article explaining how to break crypt fairly quickly. Interesting stuff. -Oliver Sharp ::::::::::::::::::: From: dcdwest!ittvax!decvax!bellcore!gamma!ulysses!allegra!alice!reeds@sdcsvax Crypt(1) is not safe against 1) me, 2) friends of mine, or 3) careful readers of an article by P.J.Weinberger & me in a recent ish of the Bell Labs Technical Journal, assuming they take the time to turn the algorithms we describe into a computer program. Plain English text is easy to read if you have a clue about what its about; C code is even easier. :::::::::::::::::::: From: ihnp4!seismo!harvard!uwvax!shp@wisc-crys.arpa (Steve Patterson) If you're referring to something OTHER than the DES algorithm that I normally associate with crypt, than I haven't the foggiest idea. About DES, I can say a few words. First: I'm not a mathemetician. I can't mathematically demonstrate anything about it, etc. My cryptanalysis is mostly self-taught, and very limited. However: from a system breaker's point of view (personal experience and research), crypt IS tough to break. (I don't know of any- one who's claimed to have broken it, but I do know several people who've failed). There's an article on it in October's AT&T Journal (if you'd like the reference, mail me back (shp@wisc-crys.arpa, or the return Usenet path) and I'll look it up -- I don't have it with me). If memory serves, Unix uses a 56-bit DES, although the 64-bit version is significantly more secure. Rumor has it that this is because NSA can break a 56-bit DES but not a 64. Silly, but who knows?? I believe it. Hope this helps out. =shp :::::::::::::::::: From: ucbvax!phr@ucbernie.Berkeley.ARPA (Paul Rubin) Unix 'crypt' is secure from random people poking around but a text file of length more than a few hundred bytes can be decrypted in at most a few hours by anyone equipped with the right cryptanalysis program (at least one such program exists). Figuring out from the source code how to break the encryption (i.e. write the analysis program) is not trivial, but to crypto experts not very hard. paul rubin ::::::::::::::: End of replies. Bernd <bear-nd> Riechelmann (Not affiliated with, nor speaking for U.C. San Diego) UUCP: ...!ucbvax!sdcsvax!sdcc12!wa371, ARPA: sdcsvax!sdcc12!wa371@nosc *** hooray for USENET *** PS: If a control-l follows here, I did not put it here but the mail program seems to be doing it lately. Does anyone know, why?