6.4. DES, MD5, and Crypt

Parts rewritten and updated by Bill Swingle , 21 March 2000.

Every user on a UNIX system has a password associated with their account, obviously these passwords need to be known only to the user and the actual operating system. In order to keep these passwords secret, they are encrypted with what is known as a 'one-way hash', that is, they can only be easily encrypted but not decrypted. The only way to get the password is by brute force searching the space of possible passwords. Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This is not such a problem for users that live in the US, but since the source code for DES cannot be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with all the other UNIX variants that still use DES.

The solution was to divide up the encryption libraries so that US users could install the DES libraries and use DES but international users still had an encryption method that could be exported abroad. This is how FreeBSD came to use MD5 as it's default encryption method.

6.4.1. Recognizing your crypt mechanism

It is pretty easy to identify which encryption method FreeBSD is set up to use. Examining the encrypted passwords in the /etc/master.passwd file is one way. Passwords encrypted with the MD5 hash are longer than those with encrypted with the DES hash and also begin with the characters $1$. DES password strings do not have any particular identifying characteristics, but they are shorter than MD5 passwords, and are coded in a 64-character alphabet which does not include the $ character, so a relatively short string which does not begin with a dollar sign is very likely a DES password.

Identifying which library is being used by the programs on your system is easy as well. Any program that uses crypt is linked against libcrypt which for each type of library is a symbolic link to the appropriate implementation. For example, on a system using the DES versions:

    % ls -l /usr/lib/libcrypt*
    lrwxr-xr-x  1 root  wheel  13 Mar 19 06:56 libcrypt.a -> libdescrypt.a
    lrwxr-xr-x  1 root  wheel  18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0
    lrwxr-xr-x  1 root  wheel  15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.a

On a system using the MD5-based libraries, the same links will be present, but the target will be libscrypt rather than libdescrypt.