1.\" $NetBSD: crypt.3,v 1.18 2004/06/10 13:53:48 uebayasi Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)crypt.3 8.2 (Berkeley) 12/11/93 31.\" 32.Dd December 11, 1993 33.Dt CRYPT 3 34.Os 35.Sh NAME 36.Nm crypt , 37.Nm setkey , 38.Nm encrypt , 39.Nm des_setkey , 40.Nm des_cipher 41.Nd password encryption 42.Sh LIBRARY 43.Lb libcrypt 44.Sh SYNOPSIS 45.In unistd.h 46.Ft char 47.Fn *crypt "const char *key" "const char *setting" 48.Ft int 49.Fn encrypt "char *block" "int flag" 50.Ft int 51.Fn des_setkey "const char *key" 52.Ft int 53.Fn des_cipher "const char *in" "char *out" "long salt" "int count" 54.In stdlib.h 55.Ft int 56.Fn setkey "const char *key" 57.Sh DESCRIPTION 58The 59.Fn crypt 60function 61performs password encryption. 62The encryption scheme used by 63.Fn crypt 64is dependent upon the contents of the 65.Dv NUL Ns -terminated 66string 67.Ar setting . 68If it begins 69with a string character 70.Pq Ql $ 71and a number then a different algorithm is used depending on the number. 72At the moment a 73.Ql $1 74chooses MD5 hashing and a 75.Ql $2 76chooses Blowfish hashing; see below for more information. 77If 78.Ar setting 79begins with the ``_'' character, DES encryption with a user specified number 80of perturbations is selected. 81If 82.Ar setting 83begins with any other character, DES encryption with a fixed number 84of perturbations is selected. 85.Ss DES encryption 86The DES encryption scheme is derived from the 87.Tn NBS 88Data Encryption Standard. 89Additional code has been added to deter key search attempts and to use 90stronger hashing algorithms. 91In the DES case, the first argument to 92.Fn crypt 93is a character array, 9 bytes in length, consisting of an underscore (``_'') 94followed by 4 bytes of iteration count and 4 bytes of salt. 95Both the iteration 96.Fa count 97and the 98.Fa salt 99are encoded with 6 bits per character, least significant bits first. 100The values 0 to 63 are encoded by the characters ``./0-9A-Za-z'', 101respectively. 102.Pp 103The 104.Fa salt 105is used to induce disorder in to the 106.Tn DES 107algorithm 108in one of 16777216 109possible ways 110(specifically, if bit 111.Em i 112of the 113.Ar salt 114is set then bits 115.Em i 116and 117.Em i+24 118are swapped in the 119.Tn DES 120``E'' box output). 121The 122.Ar key 123is divided into groups of 8 characters (a short final group is null-padded) 124and the low-order 7 bits of each character (56 bits per group) are 125used to form the DES key as follows: the first group of 56 bits becomes the 126initial DES key. 127For each additional group, the XOR of the group bits and the encryption of 128the DES key with itself becomes the next DES key. 129Then the final DES key is used to perform 130.Ar count 131cumulative encryptions of a 64-bit constant. 132The value returned is a 133.Dv NUL Ns -terminated 134string, 20 bytes in length, consisting 135of the 136.Ar setting 137followed by the encoded 64-bit encryption. 138.Pp 139For compatibility with historical versions of 140.Xr crypt 3 , 141the 142.Ar setting 143may consist of 2 bytes of salt, encoded as above, in which case an 144iteration 145.Ar count 146of 25 is used, fewer perturbations of 147.Tn DES 148are available, at most 8 149characters of 150.Ar key 151are used, and the returned value is a 152.Dv NUL Ns -terminated 153string 13 bytes in length. 154.Pp 155The 156functions 157.Fn encrypt , 158.Fn setkey , 159.Fn des_setkey 160and 161.Fn des_cipher 162allow limited access to the 163.Tn DES 164algorithm itself. 165The 166.Ar key 167argument to 168.Fn setkey 169is a 64 character array of 170binary values (numeric 0 or 1). 171A 56-bit key is derived from this array by dividing the array 172into groups of 8 and ignoring the last bit in each group. 173.Pp 174The 175.Fn encrypt 176argument 177.Fa block 178is also a 64 character array of 179binary values. 180If the value of 181.Fa flag 182is 0, 183the argument 184.Fa block 185is encrypted, otherwise it 186is decrypted. 187The encryption or decryption is returned in the original 188array 189.Fa block 190after using the 191key specified 192by 193.Fn setkey 194to process it. 195.Pp 196The 197.Fn des_setkey 198and 199.Fn des_cipher 200functions are faster but less portable than 201.Fn setkey 202and 203.Fn encrypt . 204The argument to 205.Fn des_setkey 206is a character array of length 8. 207The 208.Em least 209significant bit in each character is ignored and the next 7 bits of each 210character are concatenated to yield a 56-bit key. 211The function 212.Fn des_cipher 213encrypts (or decrypts if 214.Fa count 215is negative) the 64-bits stored in the 8 characters at 216.Fa in 217using 218.Xr abs 3 219of 220.Fa count 221iterations of 222.Tn DES 223and stores the 64-bit result in the 8 characters at 224.Fa out . 225The 226.Fa salt 227specifies perturbations to 228.Tn DES 229as described above. 230.Ss MD5 encryption 231For the 232.Tn MD5 233encryption scheme, the version number (in this case ``1''), 234.Fa salt 235and the hashed password are separated 236by the ``$'' character. 237A valid password looks like this: 238.Pp 239``$1$2qGr5PPQ$eT08WBFev3RPLNChixg0H.''. 240.Pp 241The entire password string is passed as 242.Fa setting 243for interpretation. 244.Ss "Blowfish" crypt 245The 246.Tn Blowfish 247version of crypt has 128 bits of 248.Fa salt 249in order to make building dictionaries of common passwords space consuming. 250The initial state of the 251.Tn Blowfish 252cipher is expanded using the 253.Fa salt 254and the 255.Fa password 256repeating the process a variable number of rounds, which is encoded in 257the password string. 258The maximum password length is 72. 259The final Blowfish password entry is created by encrypting the string 260.Pp 261.Dq OrpheanBeholderScryDoubt 262.Pp 263with the 264.Tn Blowfish 265state 64 times. 266.Pp 267The version number, the logarithm of the number of rounds and 268the concatenation of salt and hashed password are separated by the 269.Ql $ 270character. 271An encoded 272.Sq 8 273would specify 256 rounds. 274A valid Blowfish password looks like this: 275.Pp 276.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC . 277.Pp 278The whole Blowfish password string is passed as 279.Fa setting 280for interpretation. 281.Sh RETURN VALUES 282The function 283.Fn crypt 284returns a pointer to the encrypted value on success and NULL on failure. 285The functions 286.Fn setkey , 287.Fn encrypt , 288.Fn des_setkey , 289and 290.Fn des_cipher 291return 0 on success and 1 on failure. 292Historically, the functions 293.Fn setkey 294and 295.Fn encrypt 296did not return any value. 297They have been provided return values primarily to distinguish 298implementations where hardware support is provided but not 299available or where the DES encryption is not available due to the 300usual political silliness. 301.Sh SEE ALSO 302.Xr login 1 , 303.Xr passwd 1 , 304.Xr getpass 3 , 305.Xr md5 3 , 306.Xr passwd 5 , 307.Xr passwd.conf 5 308.Rs 309.%T "Mathematical Cryptology for Computer Scientists and Mathematicians" 310.%A Wayne Patterson 311.%D 1987 312.%N ISBN 0-8476-7438-X 313.Re 314.Rs 315.%T "Password Security: A Case History" 316.%A R. Morris 317.%A Ken Thompson 318.%J "Communications of the ACM" 319.%V vol. 22 320.%P pp. 594-597 321.%D Nov. 1979 322.Re 323.Rs 324.%T "DES will be Totally Insecure within Ten Years" 325.%A M.E. Hellman 326.%J "IEEE Spectrum" 327.%V vol. 16 328.%P pp. 32-39 329.%D July 1979 330.Re 331.Sh HISTORY 332A rotor-based 333.Fn crypt 334function appeared in 335.At v6 . 336The current style 337.Fn crypt 338first appeared in 339.At v7 . 340.Sh BUGS 341Dropping the 342.Em least 343significant bit in each character of the argument to 344.Fn des_setkey 345is ridiculous. 346.Pp 347The 348.Fn crypt 349function leaves its result in an internal static object and returns 350a pointer to that object. 351Subsequent calls to 352.Fn crypt 353will modify the same object. 354