httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <p...@ukweb.com>
Subject Re: Apache 1.3a1 Authentification (re) (fwd)
Date Fri, 15 Aug 1997 22:42:26 GMT
On Fri, 15 Aug 1997, Eric Esselink wrote:
> >> The problem is that unix crypt() is a one-way function. 
> If you don't put the decryption function into the sources and uses a random
> encryption key, it sure looks like a one-way function to me !
> 
> I didn't invent the code, i just used MS's sample code and turned it into 
> something usefull. I hate re-inventing the wheel, it's already perfect...

The point with Unix crypt() is that you can (a) publish the source doe and
(b) make the salt (key) readily available and it is *still* a one-way
function. That is you can never get the original back, even with full
knowledge. So no-one can ever decrypt your Unix password (of course, they
can try encrypting and comparing, like crack does, but that is another
matter). With the NT encryption calls, unless I am missing something,
anyone can take your encrypted htpasswd file and keys onto a new system,
write a program to call the decrypt() function and get your passwords. I
would guess this is an aceptable level of security for NT systems. 

//pcs



Mime
View raw message