httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: Apache 1.3a1 Authentification (re) (fwd)
Date Fri, 15 Aug 1997 23:39:36 GMT
All crypt() does is use the password for the key anyway.  The 7 low-order
bits of the first 8 chars form the 56-bit DES key.  Then you add the salt
and do a bunch of iterations, and presto.

I would be concerned about blindly reimplementing crypt() (even using the
NT functions as the base) without having a solid understanding of the
cryptographic impliciations. 

If need be, we could even steal the exportable MD5 code from FreeBDs; it
generates a hash so it isn't an encryption technology.

Note that it appears like Walnut Creek _is_ exporting the DES based crypt
on their cdroms as a result of the Bernstein decision.  However, they have
lawyers.

I had heard rumors of the GNU libcrypt not being export restricted, but
can't find anything solid on it.  They still say it is export restricted.
ISTR it is possible to get a license for such things, perhaps they did?

On Sat, 16 Aug 1997, Paul Sutton wrote:

> On Fri, 15 Aug 1997, Alexei Kosut wrote:
> > On Fri, 15 Aug 1997, Paul Sutton wrote:
> > > The point with Unix crypt() is that you can (a) publish the source doe and
> > > (b) make the salt (key) readily available and it is *still* a one-way
> > > function. That is you can never get the original back, even with full
> > > knowledge. So no-one can ever decrypt your Unix password (of course, they
> > 
> > I suspect there's something that can be done. What if you encrypted the
> > password, using the password itself as the key. Then you couldn't
> > unencyrpt it to find the password unless you knew it already. When you
> > got a password, you'd encrypt that with itself, and see if it matched
> > your already-encrypted password.
> 
> Sounds good. It is just a shame we cannot use the same crypt() as supplied
> with every Unix. Is it really ITAR restricted? I've never used a Unix
> (inside or outside the US) which doesn't have it, so it is hardly a secret
> technology. Plus things like crack have a cypt library. Umm. 
> 
> //pcs
> 
> 



Mime
View raw message