1 @c This node must have no pointers.
2 @node Cryptographic Functions
3 @c @node Cryptographic Functions, Debugging Support, System Configuration, Top
4 @chapter DES Encryption and Password Handling
5 @c %MENU% DES encryption and password handling
7 On many systems, it is unnecessary to have any kind of user
8 authentication; for instance, a workstation which is not connected to a
9 network probably does not need any user authentication, because to use
10 the machine an intruder must have physical access.
12 Sometimes, however, it is necessary to be sure that a user is authorized
13 to use some service a machine provides---for instance, to log in as a
14 particular user id (@pxref{Users and Groups}). One traditional way of
15 doing this is for each user to choose a secret @dfn{password}; then, the
16 system can ask someone claiming to be a user what the user's password
17 is, and if the person gives the correct password then the system can
18 grant the appropriate privileges.
20 If all the passwords are just stored in a file somewhere, then this file
21 has to be very carefully protected. To avoid this, passwords are run
22 through a @dfn{one-way function}, a function which makes it difficult to
23 work out what its input was by looking at its output, before storing in
26 @Theglibc{} provides a one-way function that is compatible with
27 the behavior of the @code{crypt} function introduced in FreeBSD 2.0.
28 It supports two one-way algorithms: one based on the MD5
29 message-digest algorithm that is compatible with modern BSD systems,
30 and the other based on the Data Encryption Standard (DES) that is
31 compatible with Unix systems.
35 It also provides support for Secure RPC, and some library functions that
36 can be used to perform normal DES encryption. The @code{AUTH_DES}
37 authentication flavor in Secure RPC, as provided by @theglibc{},
38 uses DES and does not comply with FIPS 140-2 nor does any other use of DES
39 within @theglibc{}. It is recommended that Secure RPC should not be used
40 for systems that need to comply with FIPS 140-2 since all flavors of
41 encrypted authentication use normal DES.
44 * Legal Problems:: This software can get you locked up, or worse.
45 * getpass:: Prompting the user for a password.
46 * crypt:: A one-way function for passwords.
47 * DES Encryption:: Routines for DES encryption.
51 @section Legal Problems
53 Because of the continuously changing state of the law, it's not possible
54 to provide a definitive survey of the laws affecting cryptography.
55 Instead, this section warns you of some of the known trouble spots; this
56 may help you when you try to find out what the laws of your country are.
58 Some countries require that you have a licence to use, possess, or import
59 cryptography. These countries are believed to include Byelorussia,
60 Burma, India, Indonesia, Israel, Kazakhstan, Pakistan, Russia, and Saudi
63 Some countries restrict the transmission of encrypted messages by radio;
64 some telecommunications carriers restrict the transmission of encrypted
65 messages over their network.
67 Many countries have some form of export control for encryption software.
68 The Wassenaar Arrangement is a multilateral agreement between 33
69 countries (Argentina, Australia, Austria, Belgium, Bulgaria, Canada, the
70 Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary,
71 Ireland, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway,
72 Poland, Portugal, the Republic of Korea, Romania, the Russian
73 Federation, the Slovak Republic, Spain, Sweden, Switzerland, Turkey,
74 Ukraine, the United Kingdom and the United States) which restricts some
75 kinds of encryption exports. Different countries apply the arrangement
76 in different ways; some do not allow the exception for certain kinds of
77 ``public domain'' software (which would include this library), some
78 only restrict the export of software in tangible form, and others impose
79 significant additional restrictions.
81 The United States has additional rules. This software would generally
82 be exportable under 15 CFR 740.13(e), which permits exports of
83 ``encryption source code'' which is ``publicly available'' and which is
84 ``not subject to an express agreement for the payment of a licensing fee or
85 royalty for commercial production or sale of any product developed with
86 the source code'' to most countries.
88 The rules in this area are continuously changing. If you know of any
89 information in this manual that is out-of-date, please report it to
90 the bug database. @xref{Reporting Bugs}.
93 @section Reading Passwords
95 When reading in a password, it is desirable to avoid displaying it on
96 the screen, to help keep it secret. The following function handles this
101 @deftypefun {char *} getpass (const char *@var{prompt})
103 @code{getpass} outputs @var{prompt}, then reads a string in from the
104 terminal without echoing it. It tries to connect to the real terminal,
105 @file{/dev/tty}, if possible, to encourage users not to put plaintext
106 passwords in files; otherwise, it uses @code{stdin} and @code{stderr}.
107 @code{getpass} also disables the INTR, QUIT, and SUSP characters on the
108 terminal using the @code{ISIG} terminal attribute (@pxref{Local Modes}).
109 The terminal is flushed before and after @code{getpass}, so that
110 characters of a mistyped password are not accidentally visible.
112 In other C libraries, @code{getpass} may only return the first
113 @code{PASS_MAX} bytes of a password. @Theglibc{} has no limit, so
114 @code{PASS_MAX} is undefined.
116 The prototype for this function is in @file{unistd.h}. @code{PASS_MAX}
117 would be defined in @file{limits.h}.
120 This precise set of operations may not suit all possible situations. In
121 this case, it is recommended that users write their own @code{getpass}
122 substitute. For instance, a very simple substitute is as follows:
125 @include mygetpass.c.texi
128 The substitute takes the same parameters as @code{getline}
129 (@pxref{Line Input}); the user must print any prompt desired.
132 @section Encrypting Passwords
136 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
138 The @code{crypt} function takes a password, @var{key}, as a string, and
139 a @var{salt} character array which is described below, and returns a
140 printable ASCII string which starts with another salt. It is believed
141 that, given the output of the function, the best way to find a @var{key}
142 that will produce that output is to guess values of @var{key} until the
143 original value of @var{key} is found.
145 The @var{salt} parameter does two things. Firstly, it selects which
146 algorithm is used, the MD5-based one or the DES-based one. Secondly, it
147 makes life harder for someone trying to guess passwords against a file
148 containing many passwords; without a @var{salt}, an intruder can make a
149 guess, run @code{crypt} on it once, and compare the result with all the
150 passwords. With a @var{salt}, the intruder must run @code{crypt} once
151 for each different salt.
153 For the MD5-based algorithm, the @var{salt} should consist of the string
154 @code{$1$}, followed by up to 8 characters, terminated by either
155 another @code{$} or the end of the string. The result of @code{crypt}
156 will be the @var{salt}, followed by a @code{$} if the salt didn't end
157 with one, followed by 22 characters from the alphabet
158 @code{./0-9A-Za-z}, up to 34 characters total. Every character in the
159 @var{key} is significant.
161 For the DES-based algorithm, the @var{salt} should consist of two
162 characters from the alphabet @code{./0-9A-Za-z}, and the result of
163 @code{crypt} will be those two characters followed by 11 more from the
164 same alphabet, 13 in total. Only the first 8 characters in the
165 @var{key} are significant.
167 The MD5-based algorithm has no limit on the useful length of the
168 password used, and is slightly more secure. It is therefore preferred
169 over the DES-based algorithm.
171 When the user enters their password for the first time, the @var{salt}
172 should be set to a new string which is reasonably random. To verify a
173 password against the result of a previous call to @code{crypt}, pass
174 the result of the previous call as the @var{salt}.
177 The following short program is an example of how to use @code{crypt} the
178 first time a password is entered. Note that the @var{salt} generation
179 is just barely acceptable; in particular, it is not unique between
180 machines, and in many applications it would not be acceptable to let an
181 attacker know what time the user's password was last set.
184 @include genpass.c.texi
187 The next program shows how to verify a password. It prompts the user
188 for a password and prints ``Access granted.'' if the user types
189 @code{GNU libc manual}.
192 @include testpass.c.texi
197 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
199 The @code{crypt_r} function does the same thing as @code{crypt}, but
200 takes an extra parameter which includes space for its result (among
201 other things), so it can be reentrant. @code{data@w{->}initialized} must be
202 cleared to zero before the first time @code{crypt_r} is called.
204 The @code{crypt_r} function is a GNU extension.
207 The @code{crypt} and @code{crypt_r} functions are prototyped in the
208 header @file{crypt.h}.
211 @section DES Encryption
214 The Data Encryption Standard is described in the US Government Federal
215 Information Processing Standards (FIPS) 46-3 published by the National
216 Institute of Standards and Technology. The DES has been very thoroughly
217 analyzed since it was developed in the late 1970s, and no new
218 significant flaws have been found.
220 However, the DES uses only a 56-bit key (plus 8 parity bits), and a
221 machine has been built in 1998 which can search through all possible
222 keys in about 6 days, which cost about US$200000; faster searches would
223 be possible with more money. This makes simple DES insecure for most
224 purposes, and NIST no longer permits new US government systems
227 For serious encryption functionality, it is recommended that one of the
228 many free encryption libraries be used instead of these routines.
230 The DES is a reversible operation which takes a 64-bit block and a
231 64-bit key, and produces another 64-bit block. Usually the bits are
232 numbered so that the most-significant bit, the first bit, of each block
235 Under that numbering, every 8th bit of the key (the 8th, 16th, and so
236 on) is not used by the encryption algorithm itself. But the key must
237 have odd parity; that is, out of bits 1 through 8, and 9 through 16, and
238 so on, there must be an odd number of `1' bits, and this completely
239 specifies the unused bits.
243 @deftypefun void setkey (const char *@var{key})
245 The @code{setkey} function sets an internal data structure to be an
246 expanded form of @var{key}. @var{key} is specified as an array of 64
247 bits each stored in a @code{char}, the first bit is @code{key[0]} and
248 the 64th bit is @code{key[63]}. The @var{key} should have the correct
254 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
256 The @code{encrypt} function encrypts @var{block} if
257 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
258 previously set by @code{setkey}. The result is
259 placed in @var{block}.
261 Like @code{setkey}, @var{block} is specified as an array of 64 bits each
262 stored in a @code{char}, but there are no parity bits in @var{block}.
267 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
270 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
272 These are reentrant versions of @code{setkey} and @code{encrypt}. The
273 only difference is the extra parameter, which stores the expanded
274 version of @var{key}. Before calling @code{setkey_r} the first time,
275 @code{data->initialized} must be cleared to zero.
278 The @code{setkey_r} and @code{encrypt_r} functions are GNU extensions.
279 @code{setkey}, @code{encrypt}, @code{setkey_r}, and @code{encrypt_r} are
280 defined in @file{crypt.h}.
282 @comment rpc/des_crypt.h
284 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
286 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
287 using DES. Each block is encrypted independently.
289 The @var{blocks} and the @var{key} are stored packed in 8-bit bytes, so
290 that the first bit of the key is the most-significant bit of
291 @code{key[0]} and the 63rd bit of the key is stored as the
292 least-significant bit of @code{key[7]}. The @var{key} should have the
295 @var{len} is the number of bytes in @var{blocks}. It should be a
296 multiple of 8 (so that there is a whole number of blocks to encrypt).
297 @var{len} is limited to a maximum of @code{DES_MAXDATA} bytes.
299 The result of the encryption replaces the input in @var{blocks}.
301 The @var{mode} parameter is the bitwise OR of two of the following:
304 @comment rpc/des_crypt.h
307 This constant, used in the @var{mode} parameter, specifies that
308 @var{blocks} is to be encrypted.
310 @comment rpc/des_crypt.h
313 This constant, used in the @var{mode} parameter, specifies that
314 @var{blocks} is to be decrypted.
316 @comment rpc/des_crypt.h
319 This constant, used in the @var{mode} parameter, asks to use a hardware
320 device. If no hardware device is available, encryption happens anyway,
323 @comment rpc/des_crypt.h
326 This constant, used in the @var{mode} parameter, specifies that no
327 hardware device is to be used.
330 The result of the function will be one of these values:
333 @comment rpc/des_crypt.h
336 The encryption succeeded.
338 @comment rpc/des_crypt.h
340 @item DESERR_NOHWDEVICE
341 The encryption succeeded, but there was no hardware device available.
343 @comment rpc/des_crypt.h
346 The encryption failed because of a hardware problem.
348 @comment rpc/des_crypt.h
350 @item DESERR_BADPARAM
351 The encryption failed because of a bad parameter, for instance @var{len}
352 is not a multiple of 8 or @var{len} is larger than @code{DES_MAXDATA}.
356 @comment rpc/des_crypt.h
358 @deftypefun int DES_FAILED (int @var{err})
359 This macro returns 1 if @var{err} is a `success' result code from
360 @code{ecb_crypt} or @code{cbc_crypt}, and 0 otherwise.
363 @comment rpc/des_crypt.h
365 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
367 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
368 using DES in Cipher Block Chaining mode.
370 For encryption in CBC mode, each block is exclusive-ored with @var{ivec}
371 before being encrypted, then @var{ivec} is replaced with the result of
372 the encryption, then the next block is processed. Decryption is the
373 reverse of this process.
375 This has the advantage that blocks which are the same before being
376 encrypted are very unlikely to be the same after being encrypted, making
377 it much harder to detect patterns in the data.
379 Usually, @var{ivec} is set to 8 random bytes before encryption starts.
380 Then the 8 random bytes are transmitted along with the encrypted data
381 (without themselves being encrypted), and passed back in as @var{ivec}
382 for decryption. Another possibility is to set @var{ivec} to 8 zeroes
383 initially, and have the first the block encrypted consist of 8 random
386 Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
389 @comment rpc/des_crypt.h
391 @deftypefun void des_setparity (char *@var{key})
393 The function @code{des_setparity} changes the 64-bit @var{key}, stored
394 packed in 8-bit bytes, to have odd parity by altering the low bits of
398 The @code{ecb_crypt}, @code{cbc_crypt}, and @code{des_setparity}
399 functions and their accompanying macros are all defined in the header
400 @file{rpc/des_crypt.h}.