1 .\" Michael Haardt (michael@cantor.informatik.rwth.aachen.de)
2 .\" Sat Sep 3 22:00:30 MET DST 1994
4 .\" This is free documentation; you can redistribute it and/or
5 .\" modify it under the terms of the GNU General Public License as
6 .\" published by the Free Software Foundation; either version 2 of
7 .\" the License, or (at your option) any later version.
9 .\" The GNU General Public License's references to "object code"
10 .\" and "executables" are to be interpreted as the output of any
11 .\" document formatting or typesetting system, including
12 .\" intermediate and printed output.
14 .\" This manual is distributed in the hope that it will be useful,
15 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
16 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 .\" GNU General Public License for more details.
19 .\" You should have received a copy of the GNU General Public
20 .\" License along with this manual; if not, write to the Free
21 .\" Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111,
24 .\" Sun Feb 19 21:32:25 1995, faith@cs.unc.edu edited details away
26 .\" TO DO: This manual page should go more into detail how DES is perturbed,
27 .\" which string will be encrypted, and what determines the repetition factor.
28 .\" Is a simple repetition using ECB used, or something more advanced? I hope
29 .\" the presented explanations are at least better than nothing, but by no
32 .\" added _XOPEN_SOURCE, aeb, 970705
33 .\" added GNU MD5 stuff, aeb, 011223
35 .TH CRYPT 3 2010-06-20 "" "Linux Programmer's Manual"
37 crypt, crypt_r \- password and data encryption
40 .BR "#define _XOPEN_SOURCE" " /* See feature_test_macros(7) */"
42 .B #include <unistd.h>
44 .BI "char *crypt(const char *" key ", const char *" salt );
46 .BI "char *crypt_r(const char *" key ", const char *" salt ,
47 .BI " struct crypt_data *" data );
50 Link with \fI\-lcrypt\fP.
53 is the password encryption function.
54 It is based on the Data Encryption
55 Standard algorithm with variations intended (among other things) to
56 discourage use of hardware implementations of a key search.
59 is a user's typed password.
62 is a two-character string chosen from the set
63 [\fBa\fP\(en\fBzA\fP\(en\fBZ0\fP\(en\fB9./\fP].
64 This string is used to
65 perturb the algorithm in one of 4096 different ways.
67 By taking the lowest 7 bits of each of the first eight characters of the
69 a 56-bit key is obtained.
70 This 56-bit key is used to encrypt repeatedly a
71 constant string (usually a string consisting of all zeros).
73 value points to the encrypted password, a series of 13 printable ASCII
74 characters (the first two characters represent the salt itself).
75 The return value points to static data whose content is
76 overwritten by each call.
78 Warning: The key space consists of
81 equal 7.2e16 possible values.
82 Exhaustive searches of this key space are
83 possible using massively parallel computers.
86 is available which will search the portion of this key space that is
87 generally used by humans for passwords.
88 Hence, password selection should,
89 at minimum, avoid common words and names.
92 program that checks for crackable passwords during the selection process is
95 The DES algorithm itself has a few quirks which make the use of the
97 interface a very poor choice for anything other than password
99 If you are planning on using the
101 interface for a cryptography project, don't do it: get a good book on
102 encryption and one of the widely available DES libraries.
105 is a reentrant version of
107 The structure pointed to by
109 is used to store result data and bookkeeping information.
110 Other than allocating it,
111 the only thing that the caller should do with this structure is to set
113 to zero before the first call to
116 On success, a pointer to the encrypted password is returned.
117 On error, NULL is returned.
123 function was not implemented, probably because of U.S.A. export restrictions.
124 .\" This level of detail is not necessary in this man page. . .
126 .\" When encrypting a plain text P using DES with the key K results in the
127 .\" encrypted text C, then the complementary plain text P' being encrypted
128 .\" using the complementary key K' will result in the complementary encrypted
131 .\" Weak keys are keys which stay invariant under the DES key transformation.
132 .\" The four known weak keys 0101010101010101, fefefefefefefefe,
133 .\" 1f1f1f1f0e0e0e0e and e0e0e0e0f1f1f1f1 must be avoided.
135 .\" There are six known half weak key pairs, which keys lead to the same
136 .\" encrypted data. Keys which are part of such key clusters should be
138 .\" Sorry, I could not find out what they are.
141 .\" Heavily redundant data causes trouble with DES encryption, when used in the
147 .\" interface should be used only for its intended purpose of password
148 .\" verification, and should not be used as part of a data encryption tool.
150 .\" The first and last three output bits of the fourth S-box can be
151 .\" represented as function of their input bits. Empiric studies have
152 .\" shown that S-boxes partially compute the same output for similar input.
153 .\" It is suspected that this may contain a back door which could allow the
154 .\" NSA to decrypt DES encrypted data.
156 .\" Making encrypted data computed using crypt() publicly available has
157 .\" to be considered insecure for the given reasons.
160 SVr4, 4.3BSD, POSIX.1-2001.
165 The glibc2 version of this function supports additional
166 encryption algorithms.
170 is a character string starting with the characters "$\fIid\fP$"
171 followed by a string terminated by "$":
174 $\fIid\fP$\fIsalt\fP$\fIencrypted\fP
177 then instead of using the DES machine,
179 identifies the encryption method used and this then determines how the rest
180 of the password string is interpreted.
181 The following values of
190 2a | Blowfish (not in mainline glibc; added in some
191 | Linux distributions)
192 .\" openSUSE has Blowfish, but AFAICS, this option is not supported
193 .\" natively by glibc -- mtk, Jul 08
196 .\" glibc doesn't appear to natively support Sun MD5; I don't know
197 .\" if any distros add the support.
198 5 | SHA-256 (since glibc 2.7)
199 6 | SHA-512 (since glibc 2.7)
203 So $5$\fIsalt\fP$\fIencrypted\fP is an SHA-256 encoded
204 password and $6$\fIsalt\fP$\fIencrypted\fP is an
207 "\fIsalt\fP" stands for the up to 16 characters
208 following "$\fIid\fP$" in the salt.
209 The encrypted part of the password string is the actual computed password.
210 The size of this string is fixed:
214 SHA-256 | 43 characters
215 SHA-512 | 86 characters
218 The characters in "\fIsalt\fP" and "\fIencrypted\fP" are drawn from the set
219 [\fBa\fP\(en\fBzA\fP\(en\fBZ0\fP\(en\fB9./\fP].
220 In the MD5 and SHA implementations the entire
222 is significant (instead of only the first