Crypto
oops, my bad (was: choice of salt) Oct 31 2007 03:08PM
SecFocus subscriber Dave Aronson (secfocus2dave davearonson com) (1 replies)
Re: oops, my bad (was: choice of salt) Oct 31 2007 03:18PM
Jamie Riden (jamie riden gmail com)
On 31/10/2007, SecFocus subscriber Dave Aronson
<secfocus2dave (at) davearonson (dot) com [email concealed]> wrote:
> I think I see where I misgrokked the original situation. I *initially* thought that what was being described was, in pseudocode:
>
> storedPwd = crypt (givenPwd, firstTwoChars (crypt (givenPwd, "")));
>
> IOW, a decidedly non-random salt, derived from the password, thus next to worthless. But, upon following the links given (d'oh!), it seems to be:
>
> salt = makeTwoCharsFrom (firstTwelveBits (random32BitValue()));
> storedPwd = salt + crypt (givenPwd, salt);
>
> IOW, httpasswd *does* indeed use a random salt, just not a separate field for it, instead prepending it to the password, as two chars.
>
> Is that correct?

Yep, or at least my copy does. Both users have the same password:

jamie:rsoFT4a25m03Y
james:K/iHO0nSs5ADw

cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
UK Honeynet Project: http://www.ukhoneynet.org/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus