|
Packit |
13e0ca |
.\" Written and revised by Solar Designer <solar at openwall.com> in 2000-2011.
|
|
Packit |
13e0ca |
.\" Revised by Zack Weinberg <zackw at panix.com> in 2017.
|
|
Packit |
13e0ca |
.\"
|
|
Packit |
13e0ca |
.\" No copyright is claimed, and this man page is hereby placed in the public
|
|
Packit |
13e0ca |
.\" domain. In case this attempt to disclaim copyright and place the man page
|
|
Packit |
13e0ca |
.\" in the public domain is deemed null and void, then the man page is
|
|
Packit |
13e0ca |
.\" Copyright 2000-2011 Solar Designer, 2017 Zack Weinberg, and it is
|
|
Packit |
13e0ca |
\" hereby released to the general public under the following terms:
|
|
Packit |
13e0ca |
.\"
|
|
Packit |
13e0ca |
.\" Redistribution and use in source and binary forms, with or without
|
|
Packit |
13e0ca |
.\" modification, are permitted.
|
|
Packit |
13e0ca |
.\"
|
|
Packit |
13e0ca |
.\" There's ABSOLUTELY NO WARRANTY, express or implied.
|
|
Packit |
13e0ca |
.\"
|
|
Packit |
13e0ca |
.\" This manual page in its current form is intended for use on systems
|
|
Packit |
13e0ca |
.\" based on the GNU C Library with crypt_blowfish patched into libcrypt.
|
|
Packit |
13e0ca |
.\"
|
|
Packit |
13e0ca |
.TH CRYPT 5 "October 11, 2017" "Openwall Project" "File Formats and Conversions"
|
|
Packit |
13e0ca |
.SH NAME
|
|
Packit |
13e0ca |
crypt \- storage format for hashed passphrases and available hashing methods
|
|
Packit |
13e0ca |
.SH DESCRIPTION
|
|
Packit |
13e0ca |
The hashing methods implemented by
|
|
Packit |
13e0ca |
.BR crypt (3)
|
|
Packit |
13e0ca |
are designed only to process user passphrases for storage and authentication;
|
|
Packit |
13e0ca |
they are not suitable for use as general-purpose cryptographic hashes.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
Passphrase hashing is not a replacement for strong passphrases.
|
|
Packit |
13e0ca |
It is always possible
|
|
Packit |
13e0ca |
for an attacker with access to the hashed passphrases
|
|
Packit |
13e0ca |
to guess and check possible cleartext passphrases.
|
|
Packit |
13e0ca |
However, with a strong hashing method,
|
|
Packit |
13e0ca |
guessing will be too slow for the attacker
|
|
Packit |
13e0ca |
to discover a strong passphrase.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
All of the hashing methods use a \(lqsalt\(rq to perturb the hash function,
|
|
Packit |
13e0ca |
so that the same passphrase may produce many possible hashes.
|
|
Packit |
13e0ca |
Newer methods accept longer salt strings.
|
|
Packit |
13e0ca |
The salt should be chosen at random for each user.
|
|
Packit |
13e0ca |
Salt defeats a number of attacks:
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
1.
|
|
Packit |
13e0ca |
It is not possible to hash a passphrase once
|
|
Packit |
13e0ca |
and then test it against each account's stored hash;
|
|
Packit |
13e0ca |
the hash calculation must be repeated for each account.
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
2.
|
|
Packit |
13e0ca |
Tables of precalculated hashes of commonly used passphrases
|
|
Packit |
13e0ca |
must have an entry for each possible salt,
|
|
Packit |
13e0ca |
which makes them impractically large.
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
3.
|
|
Packit |
13e0ca |
It is not possible to tell whether two accounts use the same passphrase
|
|
Packit |
13e0ca |
without successfully guessing one of the phrases.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
All of the hashing methods are also deliberately engineered to be slow;
|
|
Packit |
13e0ca |
they use many iterations of an underlying cryptographic primitive
|
|
Packit |
13e0ca |
to increase the cost of each guess.
|
|
Packit |
13e0ca |
The newer hashing methods allow the number of iterations to be adjusted,
|
|
Packit |
13e0ca |
using the \(lqCPU time cost\(rq parameter to
|
|
Packit |
13e0ca |
.BR crypt_gensalt (3).
|
|
Packit |
13e0ca |
This makes it possible to keep the hash slow as hardware improves.
|
|
Packit |
13e0ca |
.SH FORMAT OF HASHED PASSPHRASES
|
|
Packit |
13e0ca |
All of the hashing methods supported by
|
|
Packit |
13e0ca |
.I libcrypt
|
|
Packit |
13e0ca |
produce a hashed passphrase which consists of four components:
|
|
Packit |
13e0ca |
.IR prefix ", " options ", " salt ", and " hash.
|
|
Packit |
13e0ca |
The prefix controls which hashing method is to be used, and is the
|
|
Packit |
13e0ca |
appropriate string to pass to
|
|
Packit |
13e0ca |
.B crypt_gensalt
|
|
Packit |
13e0ca |
to select that method.
|
|
Packit |
13e0ca |
The contents of
|
|
Packit |
13e0ca |
.IR options ", " salt ", and " hash
|
|
Packit |
13e0ca |
are up to the method.
|
|
Packit |
13e0ca |
Depending on the method, the
|
|
Packit |
13e0ca |
.IR prefix " and " options
|
|
Packit |
13e0ca |
components may be empty.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
The
|
|
Packit |
13e0ca |
.I setting
|
|
Packit |
13e0ca |
argument to
|
|
Packit |
13e0ca |
.B crypt
|
|
Packit |
13e0ca |
must begin with the first three components of a valid hashed passphrase,
|
|
Packit |
13e0ca |
but anything after that is ignored.
|
|
Packit |
13e0ca |
This makes authentication simple:
|
|
Packit |
13e0ca |
hash the input passphrase using the stored passphrase as the setting,
|
|
Packit |
13e0ca |
and then compare the result to the stored passphrase.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
Hashed passphrases are always entirely printable ASCII,
|
|
Packit |
13e0ca |
and do not contain any whitespace
|
|
Packit |
13e0ca |
or the characters \(oq\fB:\fR\(cq,
|
|
Packit |
13e0ca |
\(oq\fB;\fR\(cq,
|
|
Packit |
13e0ca |
\(oq\fB*\fR\(cq,
|
|
Packit |
13e0ca |
\(oq\fB!\fR\(cq, or
|
|
Packit |
13e0ca |
\(oq\fB\e\fR\(cq.
|
|
Packit |
13e0ca |
(These characters are used as delimiters and special markers in the
|
|
Packit |
13e0ca |
.BR passwd (5)
|
|
Packit |
13e0ca |
and
|
|
Packit |
13e0ca |
.BR shadow (5)
|
|
Packit |
13e0ca |
files.)
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
The syntax of each component of a hashed passphrase
|
|
Packit |
13e0ca |
is up to the hashing method.
|
|
Packit |
13e0ca |
\(oq\fB$\fR\(cq characters
|
|
Packit |
13e0ca |
usually delimit components,
|
|
Packit |
13e0ca |
and the salt and hash are usually encoded as numerals in base 64.
|
|
Packit |
13e0ca |
However, the details of the base-64 encoding vary among hashing
|
|
Packit |
13e0ca |
methods and are usually
|
|
Packit |
13e0ca |
.I not
|
|
Packit |
13e0ca |
compatible with the common \(lqbase64\(rq encoding.
|
|
Packit |
13e0ca |
.SH AVAILABLE HASHING METHODS
|
|
Packit |
13e0ca |
This is a list of
|
|
Packit |
13e0ca |
.I all
|
|
Packit |
13e0ca |
the hashing methods supported by
|
|
Packit |
13e0ca |
.IR libcrypt ,
|
|
Packit |
13e0ca |
in decreasing order of strength.
|
|
Packit |
13e0ca |
Many of the older methods
|
|
Packit |
13e0ca |
are now considered too weak to use for new passphrases.
|
|
Packit |
13e0ca |
The encoded passphrase format is expressed
|
|
Packit |
13e0ca |
with extended regular expressions (see
|
|
Packit |
13e0ca |
.BR regex (7))
|
|
Packit |
13e0ca |
and does not show the division into prefix, options, salt, and hash.
|
|
Packit |
13e0ca |
.de hash
|
|
Packit |
13e0ca |
.ad l
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B prefix
|
|
Packit |
13e0ca |
.ie "\\$1"" \{\
|
|
Packit |
13e0ca |
"" (empty string)
|
|
Packit |
13e0ca |
.\}
|
|
Packit |
13e0ca |
.el "\\$1"
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B Encoded passphrase format
|
|
Packit |
13e0ca |
\\$2
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B Maximum password length
|
|
Packit |
13e0ca |
.ie "\\$3"unlimited" unlimited
|
|
Packit |
13e0ca |
.el \\$3 characters
|
|
Packit |
13e0ca |
.ie "\\$4"7" (ignores 8th bit)
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B Hash size
|
|
Packit |
13e0ca |
\\$6 bits
|
|
Packit |
13e0ca |
.if !"\\$5"\\$6" (effectively \\$5)
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B Salt size
|
|
Packit |
13e0ca |
\\$7 bits
|
|
Packit |
13e0ca |
.TP
|
|
Packit |
13e0ca |
.B CPU time cost parameter
|
|
Packit |
13e0ca |
\\$8
|
|
Packit |
13e0ca |
.ad b
|
|
Packit |
13e0ca |
..
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B bcrypt
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on the Blowfish block cipher,
|
|
Packit |
13e0ca |
modified to have an extra-expensive key schedule.
|
|
Packit |
13e0ca |
Originally developed by Niels Provos and David Mazieres for OpenBSD
|
|
Packit |
13e0ca |
and also supported on recent versions of FreeBSD and NetBSD,
|
|
Packit |
13e0ca |
on Solaris 10 and newer, and on several GNU/*/Linux distributions.
|
|
Packit |
13e0ca |
Recommended for new password hashes.
|
|
Packit |
13e0ca |
.hash "$2b$" "\e$2[abxy]\e$[0-9]{2}\e$[./A-Za-z0-9]{53}" 72 8 184 184 128 "4 to 31 (logarithmic)"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
The alternative prefix "$2y$" is equivalent to "$2b$".
|
|
Packit |
13e0ca |
It exists for historical reasons only.
|
|
Packit |
13e0ca |
The alternative prefixes "$2a$" and "$2x$"
|
|
Packit |
13e0ca |
provide bug-compatibility with crypt_blowfish 1.0.4 and earlier,
|
|
Packit |
13e0ca |
which incorrectly processed characters with the 8th bit set.
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B SHA-2-512
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on SHA-2 with 512-bit output,
|
|
Packit |
13e0ca |
originally developed by Ulrich Drepper for GNU libc.
|
|
Packit |
13e0ca |
Supported on Linux but not common elsewhere.
|
|
Packit |
13e0ca |
Acceptable for new password hashes.
|
|
Packit |
13e0ca |
The default CPU time cost parameter is 5000,
|
|
Packit |
13e0ca |
which is too low for modern hardware.
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
.hash "$6$" "\e$6\e$(rounds=[1-9][0-9]+\e$)?[./0-9A-Za-z]{1,16}\e$[./0-9A-Za-z]{86}" unlimited 8 512 512 "6 to 96" "1000 to 999,999,999"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B SHA-2-256
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on SHA-2 with 256-bit output,
|
|
Packit |
13e0ca |
originally developed by Ulrich Drepper for GNU libc.
|
|
Packit |
13e0ca |
Supported on Linux but not common elsewhere.
|
|
Packit |
13e0ca |
Acceptable for new password hashes.
|
|
Packit |
13e0ca |
The default CPU time cost parameter is 5000,
|
|
Packit |
13e0ca |
which is too low for modern hardware.
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
.hash "$5$" "\e$5\e$(rounds=[1-9][0-9]+\e$)?[./0-9A-Za-z]{1,16}\e$[./0-9A-Za-z]{43}" unlimited 8 256 256 "6 to 96" "1000 to 999,999,999"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B SHA-1
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on HMAC-SHA1.
|
|
Packit |
13e0ca |
Originally developed by Simon Gerraty for NetBSD.
|
|
Packit |
13e0ca |
Not as weak as the DES-based hashes below,
|
|
Packit |
13e0ca |
but SHA1 is so cheap on modern hardware
|
|
Packit |
13e0ca |
that it should not be used for new hashes.
|
|
Packit |
13e0ca |
.hash "$sha1" "\e$sha1\e$[1-9][0-9]+\e$[./0-9A-Za-z]{1,64}\e$[./0-9A-Za-z]{8,64}[./0-9A-Za-z]{32}" unlimited 8 160 160 "6 to 384" "1 to 4,294,967,295"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B MD5 (Sun)
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on the MD5 algorithm,
|
|
Packit |
13e0ca |
with additional cleverness to make precomputation difficult,
|
|
Packit |
13e0ca |
originally developed by Alec David Muffet for Solaris.
|
|
Packit |
13e0ca |
Not adopted elsewhere, to our knowledge.
|
|
Packit |
13e0ca |
Not as weak as the DES-based hashes below,
|
|
Packit |
13e0ca |
but MD5 is so cheap on modern hardware
|
|
Packit |
13e0ca |
that it should not be used for new hashes.
|
|
Packit |
13e0ca |
.hash "$md5" "\e$md5(,rounds=[1-9][0-9]+)?\e$[./0-9A-Za-z]{8}\e${1,2}[./0-9A-Za-z]{22}" unlimited 8 128 128 48 "4096 to 4,294,963,199"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B MD5 (FreeBSD)
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A hash based on the MD5 algorithm, originally developed by
|
|
Packit |
13e0ca |
Poul-Henning Kamp for FreeBSD.
|
|
Packit |
13e0ca |
Supported on most free Unixes and newer versions of Solaris.
|
|
Packit |
13e0ca |
Not as weak as the DES-based hashes below,
|
|
Packit |
13e0ca |
but MD5 is so cheap on modern hardware
|
|
Packit |
13e0ca |
that it should not be used for new hashes.
|
|
Packit |
13e0ca |
CPU time cost is not adjustable.
|
|
Packit |
13e0ca |
.hash "$1$" "\e$1\e$[^$]{1,8}\e$[./0-9A-Za-z]{22}" unlimited 8 128 128 "6 to 48" 1000
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B BSDI extended DES
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A weak extension of traditional DES,
|
|
Packit |
13e0ca |
which eliminates the length limit,
|
|
Packit |
13e0ca |
increases the salt size,
|
|
Packit |
13e0ca |
and makes the time cost tunable.
|
|
Packit |
13e0ca |
It originates with BSDI
|
|
Packit |
13e0ca |
and is also available on at least NetBSD, OpenBSD, and FreeBSD
|
|
Packit |
13e0ca |
due to the use of David Burren's FreeSec library.
|
|
Packit |
13e0ca |
It is better than bigcrypt and traditional DES,
|
|
Packit |
13e0ca |
but still should not be used for new hashes.
|
|
Packit |
13e0ca |
.hash _ "_[./0-9A-Za-z]{19}" unlimited 7 56 64 24 "1 to 16,777,215 (must be odd)"
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B bigcrypt
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
A weak extension of traditional DES,
|
|
Packit |
13e0ca |
available on some System V-derived Unixes.
|
|
Packit |
13e0ca |
All it does is raise the length limit from 8 to 128 characters,
|
|
Packit |
13e0ca |
and it does this in a crude way that allows attackers to
|
|
Packit |
13e0ca |
guess chunks of a long passphrase in parallel.
|
|
Packit |
13e0ca |
It should not be used for new hashes.
|
|
Packit |
13e0ca |
.hash "" "[./0-9A-Za-z]{13,178}" 128 7 "up to 896" "up to 1024" 12 25
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B Traditional DES-based
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
The original hashing method from Unix V7, based on the DES block cipher.
|
|
Packit |
13e0ca |
Because DES is cheap on modern hardware,
|
|
Packit |
13e0ca |
because there are only 4096 possible salts and 2**56 possible hashes,
|
|
Packit |
13e0ca |
and because it truncates passphrases to 8 characters,
|
|
Packit |
13e0ca |
it is feasible to discover
|
|
Packit |
13e0ca |
.I any
|
|
Packit |
13e0ca |
passphrase hashed with this method.
|
|
Packit |
13e0ca |
It should only be used if you absolutely have to generate hashes
|
|
Packit |
13e0ca |
that will work on an old operating system that supports nothing else.
|
|
Packit |
13e0ca |
.hash "" "[./0-9A-Za-z]{13}" 8 7 56 64 12 25
|
|
Packit |
13e0ca |
.PP
|
|
Packit |
13e0ca |
.ti -4
|
|
Packit |
13e0ca |
.B NTHASH
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
The hashing method used for network authentication
|
|
Packit |
13e0ca |
in some versions of the SMB/CIFS protocol.
|
|
Packit |
13e0ca |
Available, for cross-compatibility's sake, on FreeBSD.
|
|
Packit |
13e0ca |
Based on MD4.
|
|
Packit |
13e0ca |
Has no salt or tunable cost parameter.
|
|
Packit |
13e0ca |
Like traditional DES, it is so weak that
|
|
Packit |
13e0ca |
.I any
|
|
Packit |
13e0ca |
passphrase hashed with this method is guessable.
|
|
Packit |
13e0ca |
It should only be used if you absolutely have to generate hashes
|
|
Packit |
13e0ca |
that will work on an old operating system that supports nothing else.
|
|
Packit |
13e0ca |
.hash "$3$" "\e$3\e$\e$[0-9a-f]{32}" unlimited 8 256 256 0 1
|
|
Packit |
13e0ca |
.SH SEE ALSO
|
|
Packit |
13e0ca |
.BR crypt (3),
|
|
Packit Service |
1b19c1 |
.BR crypt_r (3),
|
|
Packit Service |
1b19c1 |
.BR crypt_ra (3),
|
|
Packit |
13e0ca |
.BR crypt_rn (3),
|
|
Packit |
13e0ca |
.BR crypt_gensalt (3),
|
|
Packit |
13e0ca |
.BR getpwent (3),
|
|
Packit |
13e0ca |
.BR passwd (5),
|
|
Packit |
13e0ca |
.BR shadow (5),
|
|
Packit |
13e0ca |
.BR pam (8)
|
|
Packit |
13e0ca |
.sp
|
|
Packit |
13e0ca |
Niels Provos and David Mazieres. A Future-Adaptable Password Scheme.
|
|
Packit |
13e0ca |
Proceedings of the 1999 USENIX Annual Technical Conference, June 1999.
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
https://www.usenix.org/events/usenix99/provos.html
|
|
Packit |
13e0ca |
.sp
|
|
Packit |
13e0ca |
Robert Morris and Ken Thompson. Password Security: A Case History.
|
|
Packit |
13e0ca |
Communications of the ACM, Volume 22, Issue 11, 1979.
|
|
Packit |
13e0ca |
.br
|
|
Packit |
13e0ca |
http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf
|