FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-07-2011, 06:13 AM
Aaron Toponce
 
Default Hash salt (was BCRYPT - Why not using it?)

On Wed, Apr 06, 2011 at 06:37:38PM -1000, Joel Roth wrote:
> So is the salt a fixed number of characters?

From system to system, it varies. On my Fedora 14 virtual machine, it's 16
characters. On Debian 6.0 stable, it's 8.

> Otherwise, how would a process know which portion of the
> string is the salt?

You can read the shadow(5) manual on your Debian system to learn about the
syntax of the password. However, I'll give you the rundown:

The password is separated by '$'. Between the first and second '$' tells
the process what algorithm to use for the hash (MD5, SHA1, bcrypt, etc.).
Between the second and third '$' is the salt itself. After the third '$' is
the hash.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
 
Old 04-07-2011, 06:20 AM
Aaron Toponce
 
Default Hash salt (was BCRYPT - Why not using it?)

On Wed, Apr 06, 2011 at 11:52:04PM -0500, Ron Johnson wrote:
> Is the salt just bits that are either pre- or suffixed to your
> password before being run through the hashing function?

The salt is generally appended to the password. For the specific case of
passwd(1), I'm not entirely sure, without looking at the source.

> The first 3 characters of every hash in my /etc/shadow are the same.
> That's what, 24 bits?

Thats.... interesting. Each salt is created at random. Combined with the
password string, it shuold produce a very unique hash. Because your hashes
all start with the same 3 characters, then you've been very lucky in the
output, due to the immense size of the keyspace.

> But if you're machine is rooted then (besides having lots of other
> problems) the attacker has your system-wide salt. (But the rainbow
> table would still be unimaginably huge...)

The salt is not system-wide, but local to the account. Each account will
have a unique salt, by default.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
 
Old 04-07-2011, 06:31 AM
Ron Johnson
 
Default Hash salt (was BCRYPT - Why not using it?)

On 04/07/2011 01:20 AM, Aaron Toponce wrote:

On Wed, Apr 06, 2011 at 11:52:04PM -0500, Ron Johnson wrote:

Is the salt just bits that are either pre- or suffixed to your
password before being run through the hashing function?


The salt is generally appended to the password. For the specific case of
passwd(1), I'm not entirely sure, without looking at the source.


The first 3 characters of every hash in my /etc/shadow are the same.
That's what, 24 bits?


Thats.... interesting. Each salt is created at random. Combined with the
password string, it shuold produce a very unique hash. Because your hashes
all start with the same 3 characters, then you've been very lucky in the
output, due to the immense size of the keyspace.



Having the first 3 characters all be "$6$" makes sense based upon the
explanation in your other email. I thought that was the salt. Each
user's salt is definitely different.


--
"Neither the wisest constitution nor the wisest laws will secure
the liberty and happiness of a people whose manners are universally
corrupt."
Samuel Adams, essay in The Public Advertiser, 1749


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D9D5A3F.8040701@cox.net">http://lists.debian.org/4D9D5A3F.8040701@cox.net
 
Old 04-07-2011, 06:38 AM
Aaron Toponce
 
Default Hash salt (was BCRYPT - Why not using it?)

On Thu, Apr 07, 2011 at 01:31:27AM -0500, Ron Johnson wrote:
> Having the first 3 characters all be "$6$" makes sense based upon
> the explanation in your other email. I thought that was the salt.
> Each user's salt is definitely different.

Ah, those first 3 characters. Yeah, that tells you that your hash is of the
SHA512 form. I thought you meant the first 3 characters of the hash itself.
$alg$salt$password is the form.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
 

Thread Tools




All times are GMT. The time now is 01:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org