This algorithm is dangerously weak, and should not be used if at all possible.
This class implements BigCrypt (a modified version of DES-Crypt) commonly found on HP-UX, Digital Unix, and OSF/1. The main difference between it and des_crypt is that BigCrypt uses all the characters of a password, not just the first 8, and has a variable length hash.
password hash usage – for examples of how to use this class via the common hash interface.
This class implements the BigCrypt password hash, and follows the Password Hash Interface.
It supports a fixed-length salt.
An example hash (of the string passphrase) is S/8NbAAlzbYO66hAa9XZyWy2. A bigcrypt hash string has the format saltchecksum_1checksum_2...checksum_n for some integer n>0, where:
This hash format lacks any magic prefix that can be used to unambiguously identify it. Out of context, certain bigcrypt hashes may be confused with that of two other algorithms:
The bigcrypt algorithm is designed to re-use the original des-crypt algorithm:
Given a password string and a salt string.
The password is NULL padded at the end to the smallest non-zero multiple of 8 bytes.
The lower 7 bits of the first 8 characters of the password are used to form a 56-bit integer; with the first character providing the most significant 7 bits, and the 8th character providing the least significant 7 bits.
The 2 character salt string is decoded to a 12-bit integer salt value; The salt string uses little-endian hash64 encoding.
25 repeated rounds of modified DES encryption are performed; starting with a null input block, and using the 56-bit integer from step 3 as the DES key.
The salt is used to to mutate the normal DES encrypt operation by swapping bits i and i+24 in the DES E-Box output if and only if bit i is set in the salt value.
The 64-bit result of the last round of step 5 is then lsb-padded with 2 zero bits.
The resulting 66-bit integer is encoded in big-endian order using the hash64-big format. This forms the first checksum segment.
For each additional block of 8 bytes in the padded password (from step 2), an additional checksum is generated by repeating steps 3..7, with the following changes:
The final checksum string is the concatenation of the checksum segments generated from steps 7 and 8, in order.
Because of the chained structure, bigcrypt has the property that the first 13 characters of any bigcrypt hash form a valid des_crypt hash of the same password; and bigcrypt hashes of any passwords less than 9 characters will be identical to des-crypt.
BigCrypt is dangerously flawed:
This implementation of bigcrypt differs from others in two ways:
Maximum Password Size:
This implementation currently accepts arbitrarily large passwords, producing arbitrarily large hashes. Other implementation have various limits on maximum password length (commonly, 128 chars), and discard the remaining part of the password.
Thus, while Passlib should be able to verify all existing bigcrypt hashes, other systems may require hashes generated by Passlib to be truncated to their specific maximum length.
The original bigcrypt algorithm was designed for 7-bit us-ascii encoding only (as evidenced by the fact that it discards the 8th bit of all password bytes).
In order to provide support for unicode strings, Passlib will encode unicode passwords using utf-8 before running them through bigcrypt. If a different encoding is desired by an application, the password should be encoded before handing it to Passlib.
|||discussion of bigcrypt & crypt16 - http://email@example.com/msg00970.html|