ch22_17.htm

the unix power tools

<HTML
><!--Distributed by F --><HEAD
><TITLE
>[Chapter 22] 22.17 Ways of Improving the Security of crypt </TITLE
><META
NAME="DC.title"
CONTENT="UNIX Power Tools"><META
NAME="DC.creator"
CONTENT="Jerry Peek, Tim O'Reilly &amp; Mike Loukides"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1998-08-04T21:40:38Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-260-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch22_01.htm"
TITLE="22. File Security, Ownership, and Sharing"><LINK
REL="prev"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "><LINK
REL="next"
HREF="ch22_18.htm"
TITLE="22.18 Clear Your Terminal for Security, to Stop Burn-in "></HEAD
><BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="htmlnav"
><H1
><IMG
SRC="gifs/smbanner.gif"
ALT="UNIX Power Tools"
USEMAP="#srchmap"
BORDER="0"></H1
><MAP
NAME="srchmap"
><AREA
SHAPE="RECT"
COORDS="0,0,466,58"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="467,0,514,18"
HREF="jobjects/fsearch.htm"
ALT="Search this book"></MAP
><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.16 Copying Permissions with cpmod "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
>Chapter 22<BR>File Security, Ownership, and Sharing</FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_18.htm"
TITLE="22.18 Clear Your Terminal for Security, to Stop Burn-in "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.18 Clear Your Terminal for Security, to Stop Burn-in "
BORDER="0"></A
></TD
></TR
></TABLE
>&nbsp;<HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"></DIV
><DIV
CLASS="SECT1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="UPT-ART-3040"
>22.17 Ways of Improving the Security of crypt </A
></H2
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="AUTOID-24716"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24718"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24720"
></A
>Files encrypted with
<EM
CLASS="emphasis"
>crypt</EM
> are exceedingly easy for a cryptographer to break.
For several years, it has been possible for noncryptographers
to break messages encrypted with <EM
CLASS="emphasis"
>crypt</EM
> as well,<A
CLASS="indexterm"
NAME="AUTOID-24726"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24728"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24730"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24732"
></A
>
thanks to a program developed in 1986 by Robert Baldwin at the MIT 
Laboratory for Computer Science. Baldwin's program, 
Crypt Breaker's Workbench (<EM
CLASS="emphasis"
>cbw</EM
>),
automatically decrypts text files encrypted with
<EM
CLASS="emphasis"
>crypt</EM
> within a matter of minutes.</P
><P
CLASS="para"
><EM
CLASS="emphasis"
>cbw</EM
> has been widely distributed; as a result, files encrypted
with <EM
CLASS="emphasis"
>crypt</EM
> should not be considered secure. (They weren't
secure before <EM
CLASS="emphasis"
>cbw</EM
> was distributed; fewer people simply had the technical skill necessary to break them.)</P
><P
CLASS="para"
>Although we recommend that you do not use <EM
CLASS="emphasis"
>crypt</EM
> to encrypt files
more than 1 k long. Nevertheless, you
may have no other encryption system readily available to you. If this is
the case, you are better off using <EM
CLASS="emphasis"
>crypt</EM
> than nothing at
all. You can also take a few simple precautions to
decrease the chances that your encrypted files will be decrypted:</P
><UL
CLASS="itemizedlist"
><LI
CLASS="listitem"
><P
CLASS="para"
>Encrypt the file multiple times, using different keys at each stage.
This essentially changes the transformation.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><SPAN
CLASS="link"
>Compress (<A
CLASS="linkend"
HREF="ch24_07.htm"
TITLE="Compressing Files to Save Space "
>24.7</A
>)</SPAN
>
your files before encrypting them.
Compressing a file
alters the information&nbsp;- the plain
<SPAN
CLASS="link"
>ASCII (<A
CLASS="linkend"
HREF="ch51_03.htm"
TITLE="ASCII Characters: Listing and Getting Values "
>51.3</A
>)</SPAN
>
text&nbsp;- that programs such as
<EM
CLASS="emphasis"
>cbw</EM
> use to determine when they have correctly assembled part of
the encryption key. If your message does not decrypt into plain text,
<EM
CLASS="emphasis"
>cbw</EM
> will not determine 
when it has correctly decrypted your message.
However, if your attackers know you have done this, they can modify their
version of <EM
CLASS="emphasis"
>cbw</EM
> accordingly.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
>If you use <EM
CLASS="emphasis"
>compress</EM
> or <EM
CLASS="emphasis"
>pack</EM
> to compress your file, 
remove the three-byte header.
Files compressed with <EM
CLASS="emphasis"
>compress</EM
> contain a three-byte signature,
or header, consisting of the hexadecimal values <CODE
CLASS="literal"
>1f</CODE
>, <CODE
CLASS="literal"
>9d</CODE
>,
and <CODE
CLASS="literal"
>90</CODE
> (in that order). If your attacker believes that
your file was compressed before it was encrypted, knowing 
how the first three bytes decrypt can help him to decrypt
the rest of the file. You can strip these three bytes with the
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>dd</EM
> (<A
CLASS="linkend"
HREF="ch35_06.htm"
TITLE="Low-Level File Butchery with dd "
>35.6</A
>)</SPAN
>
command: 
[2]</P
><BLOCKQUOTE
CLASS="footnote"
><P
CLASS="para"
>[2] Using <EM
CLASS="emphasis"
>dd</EM
> this way is very slow and inefficient. If you are
going to be encrypting a lot of compressed files, you may wish to
write a small program to remove the header more efficiently.</P
></BLOCKQUOTE
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>compress -c &lt;plain | dd bs=3 skip=1 | crypt &gt;encrypted</B
></CODE
></PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>Of course, you must remember to replace the three-byte header before you
attempt to uncompress the file.
You can get a header
by compressing
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>/dev/null</EM
> (<A
CLASS="linkend"
HREF="ch13_14.htm"
TITLE="What Can You Do with an Empty File? "
>13.14</A
>)</SPAN
>:</P
><P
CLASS="para"
><TABLE
CLASS="screen.co"
BORDER="1"
><TR
><TH
VALIGN="TOP"
><PRE
CLASS="calloutlist"
>
<A
CLASS="co"
HREF="ch13_07.htm"
TITLE="13.7 The () Subshell Operators "
>( )</A
> </PRE
></TH
><TD
VALIGN="TOP"
><PRE
CLASS="screen"
>
% <CODE
CLASS="userinput"
><B
>(compress -cf /dev/null;crypt &lt;encrypted) | uncompress -c &gt;plain</B
></CODE
></PRE
></TD
></TR
></TABLE
></P
><P
CLASS="para"
></P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
>If you do not have <EM
CLASS="emphasis"
>compress</EM
>, use
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>tar</EM
> (<A
CLASS="linkend"
HREF="ch19_05.htm"
TITLE="Using tar to Create and Unpack Archives "
>19.5</A
>)</SPAN
>
to bundle your file to
be encrypted with other files containing random data; then encrypt the
<EM
CLASS="emphasis"
>tar</EM
> file.
The presence of random data will make it more difficult for decryption
programs such as <EM
CLASS="emphasis"
>cbw</EM
> to isolate your plain text.</P
></LI
></UL
><DIV
CLASS="sect1info"
><P
CLASS="SECT1INFO"
>- <SPAN
CLASS="authorinitials"
>SG</SPAN
>, <SPAN
CLASS="authorinitials"
>GS</SPAN
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.16 Copying Permissions with cpmod "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="book"
HREF="index.htm"
TITLE="UNIX Power Tools"
><IMG
SRC="gifs/txthome.gif"
SRC="gifs/txthome.gif"
ALT="UNIX Power Tools"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_18.htm"
TITLE="22.18 Clear Your Terminal for Security, to Stop Burn-in "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.18 Clear Your Terminal for Security, to Stop Burn-in "
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
>22.16 Copying Permissions with cpmod </TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="index"
HREF="index/idx_0.htm"
TITLE="Book Index"
><IMG
SRC="gifs/index.gif"
SRC="gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
>22.18 Clear Your Terminal for Security, to Stop Burn-in </TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><IMG
SRC="gifs/smnavbar.gif"
SRC="gifs/smnavbar.gif"
USEMAP="#map"
BORDER="0"
ALT="The UNIX CD Bookshelf Navigation"><MAP
NAME="map"
><AREA
SHAPE="RECT"
COORDS="0,0,73,21"
HREF="../index.htm"
ALT="The UNIX CD Bookshelf"><AREA
SHAPE="RECT"
COORDS="74,0,163,21"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="164,0,257,21"
HREF="../unixnut/index.htm"
ALT="UNIX in a Nutshell"><AREA
SHAPE="RECT"
COORDS="258,0,321,21"
HREF="../vi/index.htm"
ALT="Learning the vi Editor"><AREA
SHAPE="RECT"
COORDS="322,0,378,21"
HREF="../sedawk/index.htm"
ALT="sed &amp; awk"><AREA
SHAPE="RECT"
COORDS="379,0,438,21"
HREF="../ksh/index.htm"
ALT="Learning the Korn Shell"><AREA
SHAPE="RECT"
COORDS="439,0,514,21"
HREF="../lrnunix/index.htm"
ALT="Learning the UNIX Operating System"></MAP
></DIV
></BODY
></HTML
>