Re: Tales from the crypt()

Hi.

The salt is similar to an identifier. I've heard specific algorithms use specfic salts. I could be mistaken, but I believe perl uses either 3DES or DES. The first two characters comprise the salt used when the crypt function was called initially. When you perform some action that calls the crypt function ( such as login or su ), it extracts the first two characters ( the salt ), and attempts to 're-hash' your password with the following function:

if (crypt( $data, $hashed_text) eq $hashed_text )
// additional code here.

Since you are hopefully using the same password, and since the crypt() function is using the same salt, it should create the same hashed string again. If these two conditions are true, they will match and..success!

Sample run:

 

#!/usr/bin/perl -w
use strict;

my $data = "Perlmonks!";
$data = crypt( $data, "hj" );
print $data, "\n";

#Results in...

C:\perl>perl crypt_test.pl
hjCQi34Qt4uGE

C:\perl>
[download]

As you can see, the salt ( "hj" ) can be found at the beginning of the string.
If you wanted to incorporate this into an application, you could do something like this:


#!/usr/bin/perl -w
use strict;

my $password;
my $salt;

print "Please enter password: ";
chomp( $password = <STDIN> );
print "Enter two-char salt: ";
chomp( $salt = <STDIN> );

$password = crypt( $password, $salt );

# Then to 'verify' the authenticity, use 
# the value of $password you obtained earlier.

print "Please enter your password: ";
chomp( my $guess = <STDIN> );
print "Imposter!" if( crypt($guess, $password) ne $password);
[download]

I hope this helps,

-Katie a.k.a. DigitalKitty

Comment on Re: Tales from the crypt() Select or Download Code

Replies are listed 'Best First'.
Re: Re: Tales from the crypt() by derby (Abbot) on May 25, 2002 at 04:44 UTC
The salt is similar to an identifier. kinda. The salt is more like a pointer into a set of "hashed" values (not hash as in perl hash but hash as in hash function). The whole purpose of salt is to prevent dictionary attacks by creating a much larger pool of hashed passwords from the same plaintext. I've heard specific algorithms use specfic salts Somewhat true. For some versions of the crypt function, the format of the hashed value is different based on the algorithm (YMMV): Standard DES-based encryption has a two character salt Extended DES-based encryption has a nine character salt MD5 encryption has a twelve character salt starting with $1$ Blowfish encryption has a sixteen character salt starting with $2$ I believe perl uses either 3DES or DES. Possibly. It may be DES, Extended DES, MD5, Blowfish or whatever else your c library crypt provides. For great reading about the crypt function and salt, check out Robert Morris and Ken Thompson's seminal work - Password Security: A Case History ( Communications of the ACM, 22(11):594-597, November 1979). Here's a google cache link -derby	[reply]
Re: Re: Tales from the crypt() by IlyaM (Parson) on May 25, 2002 at 21:15 UTC
I could be mistaken, but I believe perl uses either 3DES or DES. From 'perldoc -f crypt': Encrypts a string exactly like the crypt(3) function in the C library. So actually Perl depends on system library (aka libc on Unix systems) here. I've seen crypt to return MD5 hashes on some systems. -- Ilya Martynov (http://martynov.org/)	[reply]