如何解密在 crypt() 中生成的密码?
How to decrypt a password generated in crypt()?
我要搜索的是 crypt(3)
函数的解密函数。阅读手册他们只让我看login(1), passwd(1), encrypt(3), getpass(3), passwd(5)
,但据我所知,没有一个可以用来解密字符串。
我一起写了一个小程序来表达我的观点,我要找的功能是somefunctogetbackplaintext(...)
#define _XOPEN_SOURCE
#include <unistd.h>
#include <string.h>
#include <stdio.h>
int
main(int argc, char *argv[])
{
char *cryptated = crypt(argv[1], "aa"); // Password and salt
if(strcmp("somepassword", somefunctogetbackplaintext(argv[1], cryptated, "aa"))) //Plain text, cryptated string, salt
{
printf("Success!\n");
}
else
{
printf("Not a success!\n");
}
return 0;
}
以下是 this article 的摘要摘录,区分加密和散列的概念:
Passwords remain the primary means for online authentication and must
be protected when stored on a server. Encryption is an option, but it
has an inherent weakness in this application because the server
authenticating the password must have the key to decrypt it. An
attacker who steals a file of encrypted passwords might also steal the
key.
Hashing is a better option, especially with the judicious use of salt,
according to mathematician Andrew Regenscheid and computer scientist
John Kelsey of the National Institute of Standards and Technology’s
Computer Security Division.
Encryption is a two-way function; what is encrypted can be decrypted
with the proper key. Hashing, however, is a one-way function that
scrambles plain text to produce a unique message digest. With a
properly designed algorithm, there is no way to reverse the hashing
process to reveal the original password. An attacker who steals a file
of hashed passwords must then guess the password.
(emphasis mine)
另外(来自评论)link 明确指出:crypt 是用于计算密码哈希的库函数...
crypt
不加密密码(因此无法解密)。取而代之的是 hashes a given password, producing a string that is impossible to reverse to the original password (because the hash function loses information in the process). The most practical way to attack crypt
and recover passwords from their hashes is probably some sort of dictionary attack.
但是,none 是检查给定密码是否正确所必需的:
const char *password_and_salt = ...; // e.g. from getpwent or a database
const char *input = argv[1];
if (strcmp(crypt(input, password_and_salt), password_and_salt) == 0) {
printf("your password is correct\n");
}
换句话说,您将用户输入传递给 crypt
并检查它是否与先前 crypt
的已知结果匹配。如果是,则密码匹配。
关于 crypt 的维基百科文章指出:
摘录 1:
crypt is the library function which is used to compute a password hash that can be used to store user account passwords while keeping them relatively secure (a passwd file).
摘录 2:
This is technically not encryption since the data (all bits zero) is not being kept secret; it's widely known to all in advance. However, one of the properties of DES is that it's very resistant to key recovery even in the face of known plaintext situations. It is theoretically possible that two different passwords could result in exactly the same hash. Thus the password is never "decrypted": it is merely used to compute a result, and the matching results are presumed to be proof that the passwords were "the same."
这就是问题的答案:"the password is never "已解密""
我要搜索的是 crypt(3)
函数的解密函数。阅读手册他们只让我看login(1), passwd(1), encrypt(3), getpass(3), passwd(5)
,但据我所知,没有一个可以用来解密字符串。
我一起写了一个小程序来表达我的观点,我要找的功能是somefunctogetbackplaintext(...)
#define _XOPEN_SOURCE
#include <unistd.h>
#include <string.h>
#include <stdio.h>
int
main(int argc, char *argv[])
{
char *cryptated = crypt(argv[1], "aa"); // Password and salt
if(strcmp("somepassword", somefunctogetbackplaintext(argv[1], cryptated, "aa"))) //Plain text, cryptated string, salt
{
printf("Success!\n");
}
else
{
printf("Not a success!\n");
}
return 0;
}
以下是 this article 的摘要摘录,区分加密和散列的概念:
Passwords remain the primary means for online authentication and must be protected when stored on a server. Encryption is an option, but it has an inherent weakness in this application because the server authenticating the password must have the key to decrypt it. An attacker who steals a file of encrypted passwords might also steal the key.
Hashing is a better option, especially with the judicious use of salt, according to mathematician Andrew Regenscheid and computer scientist John Kelsey of the National Institute of Standards and Technology’s Computer Security Division.
Encryption is a two-way function; what is encrypted can be decrypted with the proper key. Hashing, however, is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password. An attacker who steals a file of hashed passwords must then guess the password.
(emphasis mine)
另外(来自评论)link 明确指出:crypt 是用于计算密码哈希的库函数...
crypt
不加密密码(因此无法解密)。取而代之的是 hashes a given password, producing a string that is impossible to reverse to the original password (because the hash function loses information in the process). The most practical way to attack crypt
and recover passwords from their hashes is probably some sort of dictionary attack.
但是,none 是检查给定密码是否正确所必需的:
const char *password_and_salt = ...; // e.g. from getpwent or a database
const char *input = argv[1];
if (strcmp(crypt(input, password_and_salt), password_and_salt) == 0) {
printf("your password is correct\n");
}
换句话说,您将用户输入传递给 crypt
并检查它是否与先前 crypt
的已知结果匹配。如果是,则密码匹配。
关于 crypt 的维基百科文章指出:
摘录 1:
crypt is the library function which is used to compute a password hash that can be used to store user account passwords while keeping them relatively secure (a passwd file).
摘录 2:
This is technically not encryption since the data (all bits zero) is not being kept secret; it's widely known to all in advance. However, one of the properties of DES is that it's very resistant to key recovery even in the face of known plaintext situations. It is theoretically possible that two different passwords could result in exactly the same hash. Thus the password is never "decrypted": it is merely used to compute a result, and the matching results are presumed to be proof that the passwords were "the same."
这就是问题的答案:"the password is never "已解密""