topic Algorithm for encrypting passwords in Operating System - HP-UX

Algorithm for encrypting passwords

Richard Vinnicombe — Fri, 29 Apr 2005 06:05:54 GMT

Please could someone advise me of the algorithm used to encrypt users passwords in HP-UX 11 in both Trusted and Standard mode (if they are different) thanks, Richard

Re: Algorithm for encrypting passwords

Suraj Singh_1 — Fri, 29 Apr 2005 06:15:36 GMT

Why do u require it first of all?

I am sure only HP Lab engineers would be aware of any such algorithm.

Regards

Re: Algorithm for encrypting passwords

Richard Vinnicombe — Fri, 29 Apr 2005 06:25:10 GMT

A request by my government accreditor to get some assurance it will meet UK minimum standards.

I found an HP-UX security white paper written by Mike Jerbik of HP which states the various algorithms used in the product but it doesn't say which ones are used for which applications. Some are obvious i.e. for signing and key exchange, others could all be used to support a basic password encryption function. I just need to know which it is.

Cheers,

RV

Re: Algorithm for encrypting passwords

Jeff Schussele — Fri, 29 Apr 2005 08:22:39 GMT

Hi Richard,

The HP-UX PAM modules use the crypt command which simulates a one rotor 256 element rotor similar to the German Enigma system.
Also the crypt command uses the makekey command which takes the salt value provided to the crypt command to select one of 4096 cryptographic machines all based on the DES standard algorithm.
man crypt & makekey for further details.

Rgds,
Jeff

Re: Algorithm for encrypting passwords

Richard Vinnicombe — Fri, 29 Apr 2005 08:26:15 GMT

Thanks for that, should keep the authorities happy for a bit longer. Cheers, RV

Re: Algorithm for encrypting passwords

Bill Hassell — Fri, 29 Apr 2005 11:10:40 GMT

Actually, the details are quite explicit (and haven't changed for more than 20 years) in the man pages for:

man 4 passwd
man crypt
man makekey

The system is based on the German Enigma machine, a mechanical encryption device used during WW2. The software system uses 256 rotors (mechanically difficult) and some other techniques to keep the password encryption at a high level. Note that this encryption method is 'lossy' in that there is no method to directly decode the password. Or more accurately, several strings can encrypt to the same value.

The weakness in the Unix password is due to human nature. If you have an encrypted password string, you could try guessing millions of words and numbers until a match is found (the result matches the encrypted target password). By hand, this is impossible to accomplish in a reasonable time period, but by computer, this can be attempted using giant dictionaries along with common number and special character substitution. Current stats show that passwords can be guessed for about 40-60% of typical user accounts.

That's why it is never recommended to use the standard Unix method for password storage (/etc/passwd) but to use the TCB method (called Trusted in HP-UX) or shadow password system. In this way, the encrypted password is hidden in a root-only directory. Trusted systems use the same encryption method but remove the limitation of 8 character passwords.

Have your auditors use Google to search for:
Unix passwords Enigma
to see the history and background details.

Re: Algorithm for encrypting passwords

Richard Vinnicombe — Fri, 29 Apr 2005 11:58:17 GMT

Thanks also for this, I had a look at the Trusted mode and what it can do in terms of advanced password features and also the TCSEC C2 assurance the overall OS has.

I'd be keen to know if the authentication modules in the trusted mode have been included in an ITSEC or Common Criteria Target of Evaluation and any resulting E/EAL value achieved.

Many thanks,

Richard