Passphrase Hashes

[Note that throughout this section, passphrases can also be considered to include passwords. We use the term "passphrase" because for security, these should be much longer than a typical word.]

A passphrase hash is a method of transforming a text string that can be remembered by a human user, into a result that can be used either:

The security properties required for these uses are effectively identical, which motivates considering passphrase hashes as a single algorithm category, rather than two different categories. However, particular algorithms may only be defined for one of these uses.


BSD PassphraseHash
Designers:
The OpenBSD Project
Description:
The BSD passphrase hash is used by OpenBSD; it is upwardly compatible with the hash used by NetBSD (MD5-crypt), and the original Unix crypt(3) algorithm (Traditional-crypt3), but the recommended way to generate new hashes is to use bcrypt. It is defined only for generation of authenticators.

When a passphrase is verified, the first few characters of the authenticator determine which mechanism is used:

When an authenticator is generated, bcrypt is always used, because it is the most secure of the mechanisms.

References:
Output types:
Binary and string authenticators, as specified above.
Missing information:
Test vectors.
Security comment:
The security of this algorithm depends on which mechanism is used. See the security comments for Traditional-crypt3 and MD5-crypt. The bcrypt mechanism does not appear to have any significant weaknesses.


bcrypt PassphraseHash
Designers:
Niels Provos, David Mazières, The OpenBSD Project
Published:
1999
References:
Salt length:
16 bytes.
Output types:
Missing information:
Test vectors.


IteratedAndSalted(digest) PassphraseHash
Designers:
Phil Zimmerman, OpenPGP working group
Published:
1998
Description:
See section 3.6.1.3 of RFC 2440. The passphrase is encoded as UTF-8. This hash is defined only as a PBKDF.
Aliases:
"OpenPGP.S2K.3"
References:
Parameters:
Salt length:
OpenPGP only specifies use of a 64-bit salt. However, it is RECOMMENDED that implementations support any salt length.
Output types:


MD5-crypt PassphraseHash
Description:
This is a password hash function used in NetBSD (and some other BSD variants).
References:
Salt length:
Minimum 12, maximum 48 bits, multiple of 8 bits (always 48 bits when generating authenticators).
Output types:
Missing information:
Test vectors.
Security comments:
The amount of computation needed (1000 hash iterations) is not sufficient to adequately slow down dictionary attacks. Therefore, MD5-crypt SHOULD NOT be used for new applications.


Simple(digest) PassphraseHash
Designers:
Phil Zimmerman, OpenPGP working group
Published:
1998
Description:
See section 3.6.1.1 of RFC 2440. The passphrase is encoded as UTF-8. This hash is defined only as a PBKDF.
Aliases:
"OpenPGP.S2K.0"
References:
Parameters:
Output types:
Security comments:


Salted(digest) PassphraseHash
Designers:
OpenPGP working group
Published:
1998
Description:
See section 3.6.1.2 of RFC 2440. The passphrase is encoded as UTF-8. This hash is defined only as a PBKDF.
Aliases:
"OpenPGP.S2K.1"
References:
Parameters:
Salt length:
OpenPGP only specifies use of a 64-bit salt. However, it is RECOMMENDED that implementations support any salt length.
Output types:
Security comment:
The lack of any method of slowing down the hash function makes dictionary attacks much easier than necessary. Therefore, the Salted hash SHOULD NOT be used for new applications.


Traditional-crypt3 PassphraseHash
Designer:
Dennis Ritchie
Published:
Apparently in Version 7 of AT&T UNIX [1979?].
Alias:
"crypt3-DES"
Description:
This is the "traditional" Unix crypt(3) algorithm, based on DES. Unfortunately there appears to be no definitive reference for this algorithm, so it is described below:

A 12-bit salt is used, considered here as an integer between 0 and 4095. The password is represented as a US-ASCII string, and padded with zeroes up to 8 bytes. Passwords containing non-US-ASCII characters (with code points >= 128), or that are longer than 8 characters are invalid. (Note that many Unix implementations silently truncate passwords to 8 characters; to interoperate with an implementation that does this, the user of the "Traditional-crypt3" algorithm must do the truncation.)

Each byte of the US-ASCII-encoded, zero-padded password is then shifted left by one bit, and the result used as a key for a modified variant of DES. The key is used to encrypt a block of 8 zero bytes, 25 times. The parity of key bytes is ignored.

In standard DES, the output of each expansion permutation is a block of 48 bits, which are numbered as in FIPS PUB 46-2 (i.e. from 1 on the left to 48 on the right). Salt bits are numbered from 1 for the least significant bit, to 12 for the most significant bit. The modification of DES is that if salt bit i is set, then bits i and i + 24 are swapped in the DES expansion permutation (a.k.a. "E-box") output.

The salt and final modified-DES ciphertext are encoded in 13 bytes as follows:

encode(x) =
    ("./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ||
     "abcdefghijklmnopqrstuvwxyz")[x]
Esalt(P) = encryption of the 8-byte block P, using DES modified
    by the salt.
C = Esalt25(<0, 0, 0, 0, 0, 0, 0, 0>)
output =
    encode(salt & 0x3F) ||
    encode(salt >>> 6) ||
    encode(C[0] >>> 2) ||
    encode(((C[0] << 4) & 0x3F) | (C[1] >>> 2)) ||
    encode(((C[1] << 2) & 0x3F) | (C[2] >>> 6)) ||
    encode(C[2] & 0x3F) ||
    encode(C[3] >>> 2) ||
    encode(((C[3] << 4) & 0x3F) | (C[4] >>> 2)) ||
    encode(((C[4] << 2) & 0x3F) | (C[5] >>> 6)) ||
    encode((C[5] & 0x3F) ||
    encode(C[6] >>> 2) ||
    encode(((C[6] << 4) & 0x3F) | (C[7] >>> 2)) ||
    encode((C[7] << 2) & 0x3F)
where
    << denotes shift left,
    >>> denotes unsigned shift right,
    || denotes concatenation,
    & denotes bitwise AND,
    | denotes bitwise OR.
When verifying an authenticator A, the salt is recovered from the first two characters of A (least significant 6 bits first):
salt = encode-1(A[0]) | (encode-1(A[1]) << 6)
and the authentication succeeds iff the correct output can be derived from the password and this salt.
References:
Output types:
Missing information:
Test vectors.
Comments:
Security comments:
Traditional-crypt3 has the following weaknesses:

It therefore SHOULD NOT be used for new applications.


WindowsNT PassphraseHash
Designers:
Microsoft Corp.
Description:
A WindowsNT passphrase hash is calculated by applying the MD4 message digest to a UTF16-LE encoding of the passphrase (which is case-sensitive, and of length 0 to 256 Unicode characters). It is defined for generation of authenticators only.
References:
Security comments:

Alleged PassphraseHashes


Valid HTML 4.0 Valid CSS Copyright and trademarks