[TriLUG] MD5 silly question

[Jeremy Portzer]

On Thu, 2004-07-08 at 10:50, David Rasch wrote:
> Md5's don't use salting, and all md5's should be "the same" as they're
> defined by an RFC, but I wonder if the difference lies in java using
> unicode characters, while php uses 8-bit representations.  
> 

It's a bit odd to say that "MD5's don't use salting," because the use of
password salts is an outer layer, somewhat orthagonal to the hashing
algorithm itself, in this case MD5.  If you set your Linux system to use
MD5 passwords for example, salting *IS* used, as this is necessary to
reduce the efficacy of certain types of password-cracking methods.

For example, take a look at this sample /etc/shadow entry:
test:$1$PRiEJJDi$qcPHRTHnVBMhUlEfQwDkp.:11632:0:99999:7:::

Within the encrypted password field, the $'s are separators.  The 1
after the first $ is always the same (I guess it's some sort of
algorithm identifier), and the next section, PRiEJJDi, is the salt. 
When a user tries to log on, this salt is added to the password the user
types, and the resulting combined string is MD5 hashed.  If the password
is correct, the resulting hash will be identical to the final field,
qcPHRTHnVBMhUlEfQwDkp.  (This is Base64 encoded I think, not hex
encoded; I'm not sure about that.)

An easy way to play around with this is the crypt(3) library function,
accessible in Perl as well (see "perldoc -f crypt" for usage).

--Jeremy

-- 
/---------------------------------------------------------------------\
| Jeremy Portzer        jeremyp at pobox.com      trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040708/b4f8d635/attachment.pgp>