httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <p...@netcraft.co.uk>
Subject Re: secure transfer using skey
Date Mon, 04 Sep 1995 19:56:18 GMT
In reply to Aram W. Mirzadeh who said
> 
> At 02:33 PM 9/2/95 +0800, you wrote:
> 
> DES( I think ) you can add crypt to it.... but you have to load a whole bunch
> of stuff into it.  The only difference between FreeBSD, and Linux is that 
> FreeBSD is a US product, the main production goes on here.   Linux's 
> main production is in Finland.  Which means, they don't have access to 
> things like crypt, so it never gets into the disterbution.  I'm sure someone 
> out there has created the correct files/libs for crypt to get integerated into
> Linux, but most likely, it will never get into the public disterbution. 

FreeBSD is most definately NOT a US product and you should be rather more
careful about making definitive statements about projects that you are not
directly involved in. FreeBSD is an international project just like Apache
is, it just happens to be hosted on a US site at this point in time.

Anyway, onto the technical issues, FreeBSD has an MD5 based crypt which IS
exportable because it is a one-way encoding and is therefore not
encryption. An algorithm is only encryption technology if the encrypted
item can be decrypted using a key. MD5 cannot be and therefore is not
encryption and is therefore not covered by the export laws. The libcrypt
library in FreeBSD is carefully designed to only do the one-way encoding
so that it is not covered by US export restrictions. 

A one-way encoding is ideal for authentication purposes since all you are
doing is scrambling the plain-text password in some way to make it unreadable.
A one-way encoding algorithm such as MD5 is actually far more secure
than an encryption algorithm such as DES  because given enough time
and the encrypted passwords you can crack the code and do the decryption.
You simply *can't* decrypt MD5 encoded passwords so even if you manage
to get ahold of the encoded passwords there's no way to get back the
plain-text passwords.

We also supply a DES based crypt of which there are two versions,
one of which is available on US sites and another that is available
on non-US sites, although in practice they're identical since the
changes to the non-US version get imported to the US version.

FreeBSD has s/key by default and it works perfectly well with either
crypt library since all the crypt() call does is encode the plain-text
in some way and whether you use a one-way encoding such as MD5 or an
encryption algorithm such as DES makes no difference.

I guess a lot of people here already know all about this but some probably
don't.

DISCLAIMER: This really isn't my area, I just know how we use it in
FreeBSD.

-- 
  Paul Richards, Bluebird Computer Systems.
  Internet: paul@FreeBSD.org, http://www.freebsd.org/~paul
  Phone: 0370 462071 (Mobile), +44 1222 457651 (home)

Mime
View raw message