Cryptography Reference
In-Depth Information
These are the reasons why a little salt is strewn in: the UNIX login program
(and also the
password
program used to change passwords) modifies the DES
algorithm randomly in one of 4096 ways. This additional information is the
salt
that is placed in front of an encrypted password. In the event that two users
actually get the same entry in the password file, then the
password
program can
select a different salt. But the main thing is that the DES ciphering hardware
has become worthless since it cannot map the DES variants mentioned.
How
Crack
Works
UNIX password encryption is still cryptologically very secure. The only vul-
nerability in the entire process is humans: people use the names of their friends
as passwords, or the official names of their departments or subjects, if they
have no sense of humor. Rumors have it that the password 'fred' has been
used quite often. Have a look at Figure 3.5 and you'll know why.
Crack
exploits this fact. It basically runs a brute-force attack, though rather than
doing this at random, it tries many possibilities with the help of a dictionary.
It makes sense that the user of
Crack
is responsible for the dictionary (since
he won't initially find the names of work subjects or names of friends in it).
The entries in the dictionary are selected and modified based on rules defined
by the user. You can see some of these rules in Figure 3.6.
Depending on the planned computing power and the known peculiarities of the
users (who select their passwords themselves!), the
Crack
user can individually
build his search strategy. Once it has guessed the password,
Crack
tells the
program operator about it. Upon request, it also sends an email to the person
concerned!
What
Crack
Is For
The last sentence probably shows best the actual purpose of
Crack
: the program
is not intended to enable breaking a system, but to increase its security. When
Q
WE R T Z
A
SDFG
H
Y
XCVB
N
Figure 3.5:
Part of a computer keyboard — why the password 'fred' is so
popular.
