docs/157049: FreeBSD Handbook: Chapter 14 (Security) Inaccuracy
Jeffrey Walton
noloader at gmail.com
Sun May 15 03:10:13 UTC 2011
>Number: 157049
>Category: docs
>Synopsis: FreeBSD Handbook: Chapter 14 (Security) Inaccuracy
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 15 03:10:12 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Jeffrey Walton
>Release: Apple's Flavor
>Organization:
None
>Environment:
Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i38
>Description:
>From the FreeBSD Handbook (http://www.freebsd.org/doc/en/books/handbook/crypt.html):
14.4 DES, Blowfish, MD5, and Crypt
...
Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard.
I believe the above is not accurate. According to Password Security: A Case History [1], Morris and Thompson write in their PROLOGUE:
The UNIX system was first implemented with a password file
that contained the actual passwords of all the users....
Later, under THE FIRST SCHEME, Morris and Thompson write:
A convenient and rather good encryption program happened to
exist on the system at the time; it simulated the M-209 cipher
machine used by the U.S. Army during World War II. It turned
out that the M-209 program was usable, but with a given key,
the ciphers produced by this program are trivial to invert. ...
the password was used not as the text to be encrypted but as
the key, and a constant was encrypted using this key.
I'm a big fan of history, and others might also find Morris and Thompson's history of the Unix password system interesting.
Jeffrey Walton
Baltimore, MD, US
[1] www.cs.bell-labs.com/who/dmr/passwd.ps
>How-To-Repeat:
N/A
>Fix:
N/A
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-doc
mailing list