passlib.hash.des_crypt - DES Crypt¶
This algorithm is dangerously insecure by modern standards. It is trivially broken, and should not be used if at all possible. For new code, see the list of recommended hashes.
This class implements the original DES-based Unix Crypt algorithm. While no longer in active use in most places, it is supported for legacy purposes by many Unix flavors. It can used directly as follows:
>>> from passlib.hash import des_crypt >>> # generate new salt, hash password >>> hash = des_crypt.hash("password") 'JQMuyS6H.AGMo' >>> # verify the password >>> des_crypt.verify("password", hash) True >>> des_crypt.verify("letmein", hash) False
the generic PasswordHash usage examples
This class implements the des-crypt password hash, and follows the PasswordHash API.
It supports a fixed-length salt.
using()method accepts the following optional keywords:
- salt (str) – Optional salt string.
If not specified, one will be autogenerated (this is recommended).
If specified, it must be 2 characters, drawn from the regexp range
- truncate_error (bool) –
New in version 1.7.
- relaxed (bool) –
By default, providing an invalid value for one of the other keywords will result in a
relaxed=True, and the error can be corrected, a
PasslibHashWarningwill be issued instead. Correctable errors include
saltstrings that are too long.
New in version 1.6.
- salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 2 characters, drawn from the regexp range
This class will use the first available of two possible backends:
crypt(), if the host OS supports DES-Crypt (most Unix systems).
- a pure Python implementation of DES-Crypt built into Passlib.
You can see which backend is in use by calling the
A des-crypt hash string consists of 13 characters, drawn from
The first 2 characters form a
12 bit integer used as the salt, with the remaining characters
forming a hash64-encoded 64-bit integer checksum.
A des-crypt configuration string is also accepted by this module, consists of only the first 2 characters, corresponding to the salt only.
An example hash (of the string
JQMuyS6H.AGMo, where the salt is
JQ, and the checksum
The checksum is formed by a modified version of the DES cipher in encrypt mode:
Given a password string and a salt string.
The 2 character salt string is decoded to a 12-bit integer salt value; The salt string uses little-endian
If the password is less than 8 bytes, it’s NULL padded at the end to 8 bytes.
The lower 7 bits of the first 8 bytes of the password are used to form a 56-bit integer; with the first byte providing the most significant 7 bits, and the 8th byte providing the least significant 7 bits.
The remainder of the password (if any) is ignored.
25 repeated rounds of modified DES encryption are performed; starting with a null input block, and using the 56-bit integer from step 4 as the DES key.
The salt is used to to mutate the normal DES encrypt operation by swapping bits
i+24in the DES E-Box output if and only if bit
iis set in the salt value. Thus, if the salt is set to
0, normal DES encryption is performed. (This was intended to prevent optimized implementations of regular DES encryption to be useful in attacking this algorithm).
The 64-bit result of the last round of step 5 is then lsb-padded with 2 zero bits.
The resulting 66-bit integer is encoded in big-endian order using the
DES-Crypt is no longer considered secure, for a variety of reasons:
- Its use of the DES stream cipher, which is vulnerable to practical pre-image attacks, and considered broken, as well as having too-small key and block sizes.
- The 12-bit salt is considered to small to defeat rainbow-table attacks (most modern algorithms provide at least a 48-bit salt).
- The fact that it only uses the lower 7 bits of the first 8 bytes of the password results in a dangerously small keyspace which needs to be searched.
This implementation of des-crypt differs from others in a few ways:
Minimum salt string:
Some implementations of des-crypt permit empty and single-character salt strings. However, behavior in these cases varies wildly; with implementations returning everything from errors to incorrect hashes that never validate. To avoid all this, Passlib will throw an “invalid salt” if the provided salt string is not at least 2 characters.
Restricted salt string character set:
The underlying algorithm expects salt strings to use the
hash64character set to encode a 12-bit integer. Many implementations of des-crypt will accept a salt containing other characters, but vary wildly in how they are handled, including errors and implementation-specific value mappings. To avoid all this, Passlib will throw an “invalid salt” if the salt string contains any non-standard characters.
The original des-crypt algorithm was designed for 7-bit
us-asciiencoding only (as evidenced by the fact that it discards the 8th bit of all password bytes).
In order to provide support for unicode strings, Passlib will encode unicode passwords using
utf-8before running them through des-crypt. If a different encoding is desired by an application, the password should be encoded before handing it to Passlib.
|||A java implementation of des-crypt, used as base for Passlib’s pure-python implementation, can be found at http://www.dynamic.net.au/christos/crypt/UnixCrypt2.txt|