2 .\" Michael Haardt (michael@cantor.informatik.rwth.aachen.de)
3 .\" Sat Sep 3 22:00:30 MET DST 1994
5 .\" SPDX-License-Identifier: GPL-2.0-or-later
7 .\" Sun Feb 19 21:32:25 1995, faith@cs.unc.edu edited details away
9 .\" TO DO: This manual page should go more into detail how DES is perturbed,
10 .\" which string will be encrypted, and what determines the repetition factor.
11 .\" Is a simple repetition using ECB used, or something more advanced? I hope
12 .\" the presented explanations are at least better than nothing, but by no
15 .\" added _XOPEN_SOURCE, aeb, 970705
16 .\" added GNU MD5 stuff, aeb, 011223
18 .TH crypt 3 (date) "Linux man-pages (unreleased)"
20 crypt, crypt_r \- password hashing
22 Password hashing library
23 .RI ( libcrypt ", " \-lcrypt )
26 .B #include <unistd.h>
28 .BI "char *crypt(const char *" key ", const char *" salt );
32 .BI "char *crypt_r(const char *" key ", const char *" salt ,
33 .BI " struct crypt_data *restrict " data );
37 Feature Test Macro Requirements for glibc (see
38 .BR feature_test_macros (7)):
45 glibc 2.27 and earlier:
55 is the password hashing function.
56 It is based on the Data Encryption
57 Standard algorithm with variations intended (among other things) to
58 discourage use of hardware implementations of a key search.
61 is a user's typed password.
64 is a two-character string chosen from the set
65 [\fBa\-zA\-Z0\-9./\fP].
66 This string is used to
67 perturb the algorithm in one of 4096 different ways.
69 By taking the lowest 7 bits of each of the first eight characters of the
71 a 56-bit key is obtained.
72 This 56-bit key is used to encrypt repeatedly a
73 constant string (usually a string consisting of all zeros).
75 value points to the hashed password, a series of 13 printable ASCII
76 characters (the first two characters represent the salt itself).
77 The return value points to static data whose content is
78 overwritten by each call.
80 Warning: the key space consists of
83 equal 7.2e16 possible values.
84 Exhaustive searches of this key space are
85 possible using massively parallel computers.
88 is available which will search the portion of this key space that is
89 generally used by humans for passwords.
90 Hence, password selection should,
91 at minimum, avoid common words and names.
94 program that checks for crackable passwords during the selection process is
97 The DES algorithm itself has a few quirks which make the use of the
99 interface a very poor choice for anything other than password
101 If you are planning on using the
103 interface for a cryptography project, don't do it: get a good book on
104 encryption and one of the widely available DES libraries.
107 is a reentrant version of
109 The structure pointed to by
111 is used to store result data and bookkeeping information.
112 Other than allocating it,
113 the only thing that the caller should do with this structure is to set
114 .I data\->initialized
115 to zero before the first call to
118 On success, a pointer to the hashed password is returned.
119 On error, NULL is returned.
124 has the wrong format.
129 function was not implemented, probably because of U.S.A. export restrictions.
130 .\" This level of detail is not necessary in this man page. . .
132 .\" When encrypting a plain text P using DES with the key K results in the
133 .\" encrypted text C, then the complementary plain text P' being encrypted
134 .\" using the complementary key K' will result in the complementary encrypted
137 .\" Weak keys are keys which stay invariant under the DES key transformation.
138 .\" The four known weak keys 0101010101010101, fefefefefefefefe,
139 .\" 1f1f1f1f0e0e0e0e and e0e0e0e0f1f1f1f1 must be avoided.
141 .\" There are six known half weak key pairs, which keys lead to the same
142 .\" encrypted data. Keys which are part of such key clusters should be
144 .\" Sorry, I could not find out what they are.
147 .\" Heavily redundant data causes trouble with DES encryption, when used in the
153 .\" interface should be used only for its intended purpose of password
154 .\" verification, and should not be used as part of a data encryption tool.
156 .\" The first and last three output bits of the fourth S-box can be
157 .\" represented as function of their input bits. Empiric studies have
158 .\" shown that S-boxes partially compute the same output for similar input.
159 .\" It is suspected that this may contain a back door which could allow the
160 .\" NSA to decrypt DES encrypted data.
162 .\" Making encrypted data computed using crypt() publicly available has
163 .\" to be considered insecure for the given reasons.
166 .I /proc/sys/crypto/fips_enabled
168 and an attempt was made to use a weak hashing type, such as DES.
170 For an explanation of the terms used in this section, see
176 Interface Attribute Value
181 T} Thread safety MT-Unsafe race:crypt
186 T} Thread safety MT-Safe
198 POSIX.1-2001, SVr4, 4.3BSD.
199 .SS Availability in glibc
205 functions are part of the POSIX.1-2008 XSI Options Group for Encryption
207 If the interfaces are not available, then the symbolic constant
209 is either not defined,
210 or it is defined to \-1 and availability can be checked at run time with
212 This may be the case if the downstream distribution has switched from glibc
215 When recompiling applications in such distributions,
216 the programmer must detect if
218 is not available and include
220 for the function prototypes;
223 is an ABI-compatible drop-in replacement.
225 .SS Features in glibc
226 The glibc version of this function supports additional
231 is a character string starting with the characters "$\fIid\fP$"
232 followed by a string optionally terminated by "$",
233 then the result has the form:
236 $\fIid\fP$\fIsalt\fP$\fIhashed\fP
240 identifies the hashing method used instead of DES and this
241 then determines how the rest of the password string is interpreted.
242 The following values of
253 Blowfish (not in mainline glibc; added in some
256 .\" openSUSE has Blowfish, but AFAICS, this option is not supported
257 .\" natively by glibc -- mtk, Jul 08
260 .\" glibc doesn't appear to natively support Sun MD5; I don't know
261 .\" if any distros add the support.
262 5 SHA-256 (since glibc 2.7)
263 6 SHA-512 (since glibc 2.7)
267 Thus, $5$\fIsalt\fP$\fIhashed\fP and $6$\fIsalt\fP$\fIhashed\fP
268 contain the password hashed with, respectively, functions
269 based on SHA-256 and SHA-512.
271 "\fIsalt\fP" stands for the up to 16 characters
272 following "$\fIid\fP$" in the salt.
274 part of the password string is the actual computed password.
275 The size of this string is fixed:
280 SHA-256 43 characters
281 SHA-512 86 characters
285 The characters in "\fIsalt\fP" and "\fIhashed\fP" are drawn from the set
286 [\fBa\-zA\-Z0\-9./\fP].
287 In the MD5 and SHA implementations the entire
289 is significant (instead of only the first
293 .\" glibc commit 9425cb9eea6a62fc21d99aafe8a60f752b934b05
294 the SHA-256 and SHA-512 implementations support a user-supplied number of
295 hashing rounds, defaulting to 5000.
296 If the "$\fIid\fP$" characters in the salt are
297 followed by "rounds=\fIxxx\fP$", where \fIxxx\fP is an integer, then the
301 $\fIid\fP$\fIrounds=yyy\fP$\fIsalt\fP$\fIhashed\fP
304 where \fIyyy\fP is the number of hashing rounds actually used.
305 The number of rounds actually used is 1000 if
310 is greater than 999999999, and