lmc@denelcor.UUCP (Lyle McElhaney) (12/09/84)
My posting about a mailing list for Unix security issues seems to have
gotten out (I sometimes wonder...) and one comment about the security
of the mail list itself is that the contents should be encrypted. So...
a few questions to the assembled masses seems to be in order:
Would crypt(1) be appropriate for this use? I know the enigma codes can
be broken, but has anyone actually done it in the case of crypt? Is it
something to worry about? If crypt is not right, what would be a more
acceptable way of encryting the data? I assume we have a way of passing
the keys about securely.
Lastly, since crypt is not *supposed* to be passed outside the US of A,
how can we extend the list to those in, say, Korea? Caesar encoding
probably won't hack it.
Comments to me via mail, please. I'll summarize.
--
Lyle McElhaney
{hao, stcvax, brl-bmd, nbires, csu-cs} !denelcor!lmcgwyn@brl-tgr.ARPA (Doug Gwyn <gwyn>) (12/09/84)
> My posting about a mailing list for Unix security issues seems to have > gotten out (I sometimes wonder...) and one comment about the security > of the mail list itself is that the contents should be encrypted. So... > a few questions to the assembled masses seems to be in order: > > Would crypt(1) be appropriate for this use? I know the enigma codes can > be broken, but has anyone actually done it in the case of crypt? Is it > something to worry about? If crypt is not right, what would be a more > acceptable way of encryting the data? I assume we have a way of passing > the keys about securely. > > Lastly, since crypt is not *supposed* to be passed outside the US of A, > how can we extend the list to those in, say, Korea? Caesar encoding > probably won't hack it. > > Comments to me via mail, please. I'll summarize. > -- > Lyle McElhaney > {hao, stcvax, brl-bmd, nbires, csu-cs} !denelcor!lmc "Crypt" has indeed been broken; you can find out how to go about it by reading an article in the latest BLTJ. I assure you that anyone who is serious about snooping on the security newsgroup would. I think a more severe problem is that you cannot possibly know whether the people on your restricted mailing list are good guys or bad. Just because I post a request to you from "somehost!root" does NOT mean that I am trustworthy. Indeed, it doesn't even mean that I have access to a UNIX system!
gwyn@brl-tgr.ARPA (Doug Gwyn <gwyn>) (12/09/84)
I apologize for my response to Lyle getting broadcast. After stashing my edited copy of his note into a file while in "followup" mode, I clobbered the editor buffer and wrote what should have been a 0-length file to be "posted", intending for that to abort safely. I should know better than to expect software on UNIX to do the sensible thing..
menageri@mit-eddie.UUCP (The Menagerie) (12/16/84)
Can anyone out there tell me how passwords are encoded on Unix? (4.2BSD at least, although if it is different on others, I'd be interested to see other algorithms) Please note that I am *NOT* trying to break the encryption, I just want to know specifically how it is done, so please don't flame at me about the possibility/impossibility of breaking it. Thanks in advance. greg uucp: !genrad!mit-eddie!menagerie arpa: greg@grape-nehi%mit-mc or g.mcmullan@mit-eecs%mit-mc us snail: 500 memorial drive cambridge, ma, 02139[-4326] (617) 225-8942
gwyn@brl-tgr.ARPA (Doug Gwyn <gwyn>) (12/19/84)
> Can anyone out there tell me how passwords are encoded on Unix?
All versions of UNIX from 7th Edition on encrypt the passwords
with a C library routine described in CRYPT(3C). See the manual
for details; basically the NBS DES is used, with variations.