Re: password encryption in libc

Erik Troan (ewt@redhat.com)
Tue, 24 Oct 1995 21:22:24 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Paradis: "Re: [Q] Booting a jensen system"
Previous message: Erik Troan: "Re: Just starting out.... holes to fall into..."
In reply to: David Mosberger-Tang: "password encryption in libc"
Next in thread: Erik Troan: "Re: Just starting out.... holes to fall into..."
Reply: Erik Troan: "Re: Just starting out.... holes to fall into..."

On Tue, 24 Oct 1995, David Mosberger-Tang wrote:

> It was brought to my attention that the password encryption in the
> current libc is broken. It was easy enough to fix it but this raises
> the issue of making the code/sources available via ftp. It is my
> understanding that US export laws prohibit exporting this code either
> in source or in binary form. I'm not happy about this law but on the
> other hand I'm also not willing to take any risks with it.

Not really. The crypt() call is one way only, so it's not cryptography.
It's useless for hiding information because you can't get it back.

This is why things like md5 can be distributed with no problems. All
crypt() is is a weak checksum on the key and salt.

Of course, the DES stuff is a bigger problem.

Erik

-------------------------------------------------------------------------------
"Eggheads unite! You have nothing to lose but your yolks" - Adlai Stevenson

Erik Troan = http://sunsite.unc.edu/ewt/ = ewt@sunsite.unc.edu

Next message: Jim Paradis: "Re: [Q] Booting a jensen system"
Previous message: Erik Troan: "Re: Just starting out.... holes to fall into..."
In reply to: David Mosberger-Tang: "password encryption in libc"
Next in thread: Erik Troan: "Re: Just starting out.... holes to fall into..."
Reply: Erik Troan: "Re: Just starting out.... holes to fall into..."