Solaris Crypt : better password hashing algorithms

11 Жов
2006

From Solaris 9 update 2, a new framework was introduced that would make it possible to select among a number of hash algorithms the famous one that would be used to compute the encrypted version of the passwords. Before that time, the traditional crypt () routine was used, limiting the size of passwords to 8 characters and providing the even more famous 13 characters found in the /etc/shadow file.The Solaris Pluggable Crypt Framework makes it possible to choose from 3 new algorithms, all allowing a maximal password size of 255 characters:

# cat /etc/security/crypt.conf
(…)
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1

What are these libraries?

From the man pages:
# man crypt_bsdmd5
(…) The crypt_bsdmd5 module is a one-way password hashing module for use with crypt (3C) that uses the MD5 message hash algorithm. (…) The output is compatible with md5crypt on BSD and Linux systems.

# man crypt_bsdbf
(…) The crypt_bsdbf module is a one-way password hashing module for use with crypt (3C) that uses the Blowfish cryptographic algorithm. (…)

# man crypt_sunmd5
(…) The crypt_sunmd5 module is a one-way password hashing module for use with crypt (3C) that uses the MD5 message hash algorithm. (…)

  • How to take advantage of this feature?
    Dead easy.
    # grep ‘^CRYPT_DEFAULT’ /etc/security/policy.conf
    CRYPT_DEFAULT=__unix__    explains why the default hashing algorithm is still the traditional one. Replace __unix__ by one of the identifiers specified in /etc/security/crypt.conf (1,2a,md5). All the new local passwords will from then be hashed using your new algorithm.
  • Which hashing algorithm to choose from?
    Alec Muffett, one the top security engineers in Sun, has got a long interesting story on that subject. Including a description of “his” sunmd5. From the man page again :# man crypt_sunmd5
    (…) This module is designed to make it difficult to crack passwords that use brute force attacks based on high speed MD5 implementations that use code inlining, unrolled loops, and table lookup.(…)

So unless you need Linux compatibility, it seems that sunmd5 is the right choice.

Comment Form

top