root@cca.ucsf.edu (Systems Staff) (06/30/90)
The following is a clarification of the intent of two recent postings
prompted by mail regarding them.
====================================================================
The typical Unix password system uses (the salt and) the password as
its key to encrypt a constant and then compares the result to the
stored value in /etc/passwd.
What I was suggesting in my recent postings to sci.crypt and
comp.os.minix is that the constant being encrypted be specific to each
system (or group of systems under common administration) and kept
confidential.
Thus, stealing a password file would not allow you to take it to
another system to attempt password space searches. Actually, you
wouldn't even be able to to do this on the same system except by going
through the system routines and that would be readily detectible.
Changeover between the present and strengthened systems is trivial;
you supply two (not necessarily different) constants -- success means
matching the result from either one. This also gives you the mechanism
for enforcing required entry of new passwords; always use the preferred
value for assigning passwords.
I wasn't talking about messing with the S-Boxes. They represent a
black art and one might very well diminish their effectivenss unless
he _really_ knows what he's doing.
Snefru and MD4 are intended to produce a hard to invert code for use
as a message verification code. It had been proposed that an algorithm
of this type be used to avoid the problems of export restrictions on
cryptological systems.
What I was suggesting was that in this case the
"message" being fed to one of these for a password application include
at least three elements:
1. The password itself
2. The salt if one is desired (in this case including the actual
login name serves to conceal use of the same password by more
than one user of the system as well as diminishing the utility
of precomputed tables)
3. A string assigned by the system administrator which is kept
confidential (this requires a protected OS for full value)
The latter element is the equivalent of the site dependent value
replacing the constant in the typical Unix method.
Thos Sumner Internet: thos@cca.ucsf.edu
(The I.G.) UUCP: ...ucbvax!ucsfcgl!cca.ucsf!thos
BITNET: thos@ucsfcca
U.S. Mail: Thos Sumner, Computer Center, Rm U-76, UCSF
San Francisco, CA 94143-0704 USA
I hear nothing in life is certain but death and taxes -- and they're
working on death.
#include <disclaimer.std>