crypt.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>DES, MD5, and Crypt</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Securing FreeBSD" href="securing-freebsd.html" />
<link rel="NEXT" title="One-time Passwords" href="one-time-passwords.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="securing-freebsd.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="one-time-passwords.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="CRYPT" name="CRYPT">14.4 DES, MD5, and Crypt</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Parts rewritten and updated by</span> Bill
Swingle.</i> 

<p>Every user on a <span class="TRADEMARK">UNIX</span>&reg; system has a password
associated with their account. It seems obvious that these passwords need to be known
only to the user and the actual operating system. In order to keep these passwords
secret, they are encrypted with what is known as a ``one-way hash'', that is, they can
only be easily encrypted but not decrypted. In other words, what we told you a moment ago
was obvious is not even true: the operating system itself does not <span
class="emphasis"><i class="EMPHASIS">really</i></span> know the password. It only knows
the <span class="emphasis"><i class="EMPHASIS">encrypted</i></span> form of the password.
The only way to get the ``plain-text'' password is by a brute force search of the space
of possible passwords.</p>

<p>Unfortunately the only secure way to encrypt passwords when <span
class="TRADEMARK">UNIX</span> came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in the US, but since the source
code for DES could not be exported outside the US, FreeBSD had to find a way to both
comply with US law and retain compatibility with all the other <span
class="TRADEMARK">UNIX</span> variants that still used DES.</p>

<p>The solution was to divide up the encryption libraries so that US users could install
the DES libraries and use DES but international users still had an encryption method that
could be exported abroad. This is how FreeBSD came to use MD5 as its default encryption
method. MD5 is believed to be more secure than DES, so installing DES is offered
primarily for compatibility reasons.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN19149" name="AEN19149">14.4.1 Recognizing Your Crypt
Mechanism</a></h2>

<p>Before FreeBSD&nbsp;4.4 <tt class="FILENAME">libcrypt.a</tt> was a symbolic link
pointing to the library which was used for encryption. FreeBSD&nbsp;4.4 changed <tt
class="FILENAME">libcrypt.a</tt> to provide a configurable password authentication hash
library. Currently the library supports DES, MD5 and Blowfish hash functions. By default
FreeBSD uses MD5 to encrypt passwords.</p>

<p>It is pretty easy to identify which encryption method FreeBSD is set up to use.
Examining the encrypted passwords in the <tt class="FILENAME">/etc/master.passwd</tt>
file is one way. Passwords encrypted with the MD5 hash are longer than those encrypted
with the DES hash and also begin with the characters <var class="LITERAL">$1$</var>.
Passwords starting with <var class="LITERAL">$2a$</var> are encrypted with the Blowfish
hash function. DES password strings do not have any particular identifying
characteristics, but they are shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the <var class="LITERAL">$</var> character, so a
relatively short string which does not begin with a dollar sign is very likely a DES
password.</p>

<p>The password format used for new passwords is controlled by the <var
class="LITERAL">passwd_format</var> login capability in <tt
class="FILENAME">/etc/login.conf</tt>, which takes values of <var
class="LITERAL">des</var>, <var class="LITERAL">md5</var> or <var
class="LITERAL">blf</var>. See the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=login.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span></a> manual
page for more information about login capabilities.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="securing-freebsd.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="one-time-passwords.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Securing FreeBSD</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">One-time Passwords</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>