2 .\" Michael Haardt (michael@cantor.informatik.rwth.aachen.de)
3 .\" Sat Sep 3 22:00:30 MET DST 1994
5 .\" SPDX-License-Identifier: GPL-2.0-or-later
7 .\" Sun Feb 19 21:32:25 1995, faith@cs.unc.edu edited details away
9 .\" TO DO: This manual page should go more into detail how DES is perturbed,
10 .\" which string will be encrypted, and what determines the repetition factor.
11 .\" Is a simple repetition using ECB used, or something more advanced? I hope
12 .\" the presented explanations are at least better than nothing, but by no
15 .\" added _XOPEN_SOURCE, aeb, 970705
16 .\" added GNU MD5 stuff, aeb, 011223
18 .TH crypt 3 (date) "Linux man-pages (unreleased)"
20 crypt, crypt_r \- password and data encryption
22 Encryption and decryption library
23 .RI ( libcrypto ", " \-lcrypto )
26 .B #include <unistd.h>
28 .BI "char *crypt(const char *" key ", const char *" salt );
32 .BI "char *crypt_r(const char *" key ", const char *" salt ,
33 .BI " struct crypt_data *restrict " data );
37 Feature Test Macro Requirements for glibc (see
38 .BR feature_test_macros (7)):
45 glibc 2.27 and earlier:
55 is the password encryption function.
56 It is based on the Data Encryption
57 Standard algorithm with variations intended (among other things) to
58 discourage use of hardware implementations of a key search.
61 is a user's typed password.
64 is a two-character string chosen from the set
65 [\fBa\-zA\-Z0\-9./\fP].
66 This string is used to
67 perturb the algorithm in one of 4096 different ways.
69 By taking the lowest 7 bits of each of the first eight characters of the
71 a 56-bit key is obtained.
72 This 56-bit key is used to encrypt repeatedly a
73 constant string (usually a string consisting of all zeros).
75 value points to the encrypted password, a series of 13 printable ASCII
76 characters (the first two characters represent the salt itself).
77 The return value points to static data whose content is
78 overwritten by each call.
80 Warning: the key space consists of
83 equal 7.2e16 possible values.
84 Exhaustive searches of this key space are
85 possible using massively parallel computers.
88 is available which will search the portion of this key space that is
89 generally used by humans for passwords.
90 Hence, password selection should,
91 at minimum, avoid common words and names.
94 program that checks for crackable passwords during the selection process is
97 The DES algorithm itself has a few quirks which make the use of the
99 interface a very poor choice for anything other than password
101 If you are planning on using the
103 interface for a cryptography project, don't do it: get a good book on
104 encryption and one of the widely available DES libraries.
107 is a reentrant version of
109 The structure pointed to by
111 is used to store result data and bookkeeping information.
112 Other than allocating it,
113 the only thing that the caller should do with this structure is to set
114 .I data\->initialized
115 to zero before the first call to
118 On success, a pointer to the encrypted password is returned.
119 On error, NULL is returned.
124 has the wrong format.
129 function was not implemented, probably because of U.S.A. export restrictions.
130 .\" This level of detail is not necessary in this man page. . .
132 .\" When encrypting a plain text P using DES with the key K results in the
133 .\" encrypted text C, then the complementary plain text P' being encrypted
134 .\" using the complementary key K' will result in the complementary encrypted
137 .\" Weak keys are keys which stay invariant under the DES key transformation.
138 .\" The four known weak keys 0101010101010101, fefefefefefefefe,
139 .\" 1f1f1f1f0e0e0e0e and e0e0e0e0f1f1f1f1 must be avoided.
141 .\" There are six known half weak key pairs, which keys lead to the same
142 .\" encrypted data. Keys which are part of such key clusters should be
144 .\" Sorry, I could not find out what they are.
147 .\" Heavily redundant data causes trouble with DES encryption, when used in the
153 .\" interface should be used only for its intended purpose of password
154 .\" verification, and should not be used as part of a data encryption tool.
156 .\" The first and last three output bits of the fourth S-box can be
157 .\" represented as function of their input bits. Empiric studies have
158 .\" shown that S-boxes partially compute the same output for similar input.
159 .\" It is suspected that this may contain a back door which could allow the
160 .\" NSA to decrypt DES encrypted data.
162 .\" Making encrypted data computed using crypt() publicly available has
163 .\" to be considered insecure for the given reasons.
166 .I /proc/sys/crypto/fips_enabled
168 and an attempt was made to use a weak encryption type, such as DES.
170 For an explanation of the terms used in this section, see
178 Interface Attribute Value
181 T} Thread safety MT-Unsafe race:crypt
184 T} Thread safety MT-Safe
191 POSIX.1-2001, POSIX.1-2008, SVr4, 4.3BSD.
195 .SS Availability in glibc
201 functions are part of the POSIX.1-2008 XSI Options Group for Encryption
203 If the interfaces are not available, then the symbolic constant
205 is either not defined,
206 or it is defined to \-1 and availability can be checked at run time with
208 This may be the case if the downstream distribution has switched from glibc
211 When recompiling applications in such distributions,
212 the programmer must detect if
214 is not available and include
216 for the function prototypes;
219 is an ABI-compatible drop-in replacement.
220 .SS Features in glibc
221 The glibc version of this function supports additional
222 encryption algorithms.
226 is a character string starting with the characters "$\fIid\fP$"
227 followed by a string optionally terminated by "$",
228 then the result has the form:
231 $\fIid\fP$\fIsalt\fP$\fIencrypted\fP
235 identifies the encryption method used instead of DES and this
236 then determines how the rest of the password string is interpreted.
237 The following values of
248 Blowfish (not in mainline glibc; added in some
251 .\" openSUSE has Blowfish, but AFAICS, this option is not supported
252 .\" natively by glibc -- mtk, Jul 08
255 .\" glibc doesn't appear to natively support Sun MD5; I don't know
256 .\" if any distros add the support.
257 5 SHA-256 (since glibc 2.7)
258 6 SHA-512 (since glibc 2.7)
262 Thus, $5$\fIsalt\fP$\fIencrypted\fP and $6$\fIsalt\fP$\fIencrypted\fP
263 contain the password encrypted with, respectively, functions
264 based on SHA-256 and SHA-512.
266 "\fIsalt\fP" stands for the up to 16 characters
267 following "$\fIid\fP$" in the salt.
268 The "\fIencrypted\fP"
269 part of the password string is the actual computed password.
270 The size of this string is fixed:
275 SHA-256 43 characters
276 SHA-512 86 characters
280 The characters in "\fIsalt\fP" and "\fIencrypted\fP" are drawn from the set
281 [\fBa\-zA\-Z0\-9./\fP].
282 In the MD5 and SHA implementations the entire
284 is significant (instead of only the first
288 .\" glibc commit 9425cb9eea6a62fc21d99aafe8a60f752b934b05
289 the SHA-256 and SHA-512 implementations support a user-supplied number of
290 hashing rounds, defaulting to 5000.
291 If the "$\fIid\fP$" characters in the salt are
292 followed by "rounds=\fIxxx\fP$", where \fIxxx\fP is an integer, then the
296 $\fIid\fP$\fIrounds=yyy\fP$\fIsalt\fP$\fIencrypted\fP
299 where \fIyyy\fP is the number of hashing rounds actually used.
300 The number of rounds actually used is 1000 if
305 is greater than 999999999, and