1 .\" Michael Haardt (michael@cantor.informatik.rwth.aachen.de)
2 .\" Sat Sep 3 22:00:30 MET DST 1994
4 .\" %%%LICENSE_START(GPLv2+_DOC_FULL)
5 .\" This is free documentation; you can redistribute it and/or
6 .\" modify it under the terms of the GNU General Public License as
7 .\" published by the Free Software Foundation; either version 2 of
8 .\" the License, or (at your option) any later version.
10 .\" The GNU General Public License's references to "object code"
11 .\" and "executables" are to be interpreted as the output of any
12 .\" document formatting or typesetting system, including
13 .\" intermediate and printed output.
15 .\" This manual is distributed in the hope that it will be useful,
16 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
17 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 .\" GNU General Public License for more details.
20 .\" You should have received a copy of the GNU General Public
21 .\" License along with this manual; if not, see
22 .\" <http://www.gnu.org/licenses/>.
25 .\" Sun Feb 19 21:32:25 1995, faith@cs.unc.edu edited details away
27 .\" TO DO: This manual page should go more into detail how DES is perturbed,
28 .\" which string will be encrypted, and what determines the repetition factor.
29 .\" Is a simple repetition using ECB used, or something more advanced? I hope
30 .\" the presented explanations are at least better than nothing, but by no
33 .\" added _XOPEN_SOURCE, aeb, 970705
34 .\" added GNU MD5 stuff, aeb, 011223
36 .TH CRYPT 3 2015-08-08 "" "Linux Programmer's Manual"
38 crypt, crypt_r \- password and data encryption
41 .BR "#define _XOPEN_SOURCE" " /* See feature_test_macros(7) */"
43 .B #include <unistd.h>
45 .BI "char *crypt(const char *" key ", const char *" salt );
47 .BR "#define _GNU_SOURCE" " /* See feature_test_macros(7) */"
51 .BI "char *crypt_r(const char *" key ", const char *" salt ,
52 .BI " struct crypt_data *" data );
55 Link with \fI\-lcrypt\fP.
58 is the password encryption function.
59 It is based on the Data Encryption
60 Standard algorithm with variations intended (among other things) to
61 discourage use of hardware implementations of a key search.
64 is a user's typed password.
67 is a two-character string chosen from the set
68 [\fBa\-zA\-Z0\-9./\fP].
69 This string is used to
70 perturb the algorithm in one of 4096 different ways.
72 By taking the lowest 7 bits of each of the first eight characters of the
74 a 56-bit key is obtained.
75 This 56-bit key is used to encrypt repeatedly a
76 constant string (usually a string consisting of all zeros).
78 value points to the encrypted password, a series of 13 printable ASCII
79 characters (the first two characters represent the salt itself).
80 The return value points to static data whose content is
81 overwritten by each call.
83 Warning: the key space consists of
86 equal 7.2e16 possible values.
87 Exhaustive searches of this key space are
88 possible using massively parallel computers.
91 is available which will search the portion of this key space that is
92 generally used by humans for passwords.
93 Hence, password selection should,
94 at minimum, avoid common words and names.
97 program that checks for crackable passwords during the selection process is
100 The DES algorithm itself has a few quirks which make the use of the
102 interface a very poor choice for anything other than password
104 If you are planning on using the
106 interface for a cryptography project, don't do it: get a good book on
107 encryption and one of the widely available DES libraries.
110 is a reentrant version of
112 The structure pointed to by
114 is used to store result data and bookkeeping information.
115 Other than allocating it,
116 the only thing that the caller should do with this structure is to set
118 to zero before the first call to
121 On success, a pointer to the encrypted password is returned.
122 On error, NULL is returned.
127 has the wrong format.
132 function was not implemented, probably because of U.S.A. export restrictions.
133 .\" This level of detail is not necessary in this man page. . .
135 .\" When encrypting a plain text P using DES with the key K results in the
136 .\" encrypted text C, then the complementary plain text P' being encrypted
137 .\" using the complementary key K' will result in the complementary encrypted
140 .\" Weak keys are keys which stay invariant under the DES key transformation.
141 .\" The four known weak keys 0101010101010101, fefefefefefefefe,
142 .\" 1f1f1f1f0e0e0e0e and e0e0e0e0f1f1f1f1 must be avoided.
144 .\" There are six known half weak key pairs, which keys lead to the same
145 .\" encrypted data. Keys which are part of such key clusters should be
147 .\" Sorry, I could not find out what they are.
150 .\" Heavily redundant data causes trouble with DES encryption, when used in the
156 .\" interface should be used only for its intended purpose of password
157 .\" verification, and should not be used as part of a data encryption tool.
159 .\" The first and last three output bits of the fourth S-box can be
160 .\" represented as function of their input bits. Empiric studies have
161 .\" shown that S-boxes partially compute the same output for similar input.
162 .\" It is suspected that this may contain a back door which could allow the
163 .\" NSA to decrypt DES encrypted data.
165 .\" Making encrypted data computed using crypt() publicly available has
166 .\" to be considered insecure for the given reasons.
169 .I /proc/sys/crypto/fips_enabled
171 and an attempt was made to use a weak encryption type, such as DES.
173 For an explanation of the terms used in this section, see
179 Interface Attribute Value
182 T} Thread safety MT-Unsafe race:crypt
185 T} Thread safety MT-Safe
189 POSIX.1-2001, POSIX.1-2008, SVr4, 4.3BSD.
194 The glibc2 version of this function supports additional
195 encryption algorithms.
199 is a character string starting with the characters "$\fIid\fP$"
200 followed by a string terminated by "$":
203 $\fIid\fP$\fIsalt\fP$\fIencrypted\fP
206 then instead of using the DES machine,
208 identifies the encryption method used and this then determines how the rest
209 of the password string is interpreted.
210 The following values of
219 2a | Blowfish (not in mainline glibc; added in some
220 | Linux distributions)
221 .\" openSUSE has Blowfish, but AFAICS, this option is not supported
222 .\" natively by glibc -- mtk, Jul 08
225 .\" glibc doesn't appear to natively support Sun MD5; I don't know
226 .\" if any distros add the support.
227 5 | SHA-256 (since glibc 2.7)
228 6 | SHA-512 (since glibc 2.7)
232 So $5$\fIsalt\fP$\fIencrypted\fP is an SHA-256 encoded
233 password and $6$\fIsalt\fP$\fIencrypted\fP is an
236 "\fIsalt\fP" stands for the up to 16 characters
237 following "$\fIid\fP$" in the salt.
238 The encrypted part of the password string is the actual computed password.
239 The size of this string is fixed:
243 SHA-256 | 43 characters
244 SHA-512 | 86 characters
247 The characters in "\fIsalt\fP" and "\fIencrypted\fP" are drawn from the set
248 [\fBa\-zA\-Z0\-9./\fP].
249 In the MD5 and SHA implementations the entire
251 is significant (instead of only the first