*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->NetBSD man pages -> setkey (3)              



NAME    [Toc]    [Back]

     crypt, setkey, encrypt, des_setkey, des_cipher - password encryption

LIBRARY    [Toc]    [Back]

     Crypt Library (libcrypt, -lcrypt)

SYNOPSIS    [Toc]    [Back]

     #include <unistd.h>

     *crypt(const char *key, const char *setting);

     encrypt(char *block, int flag);

     des_setkey(const char *key);

     des_cipher(const char *in, char *out, long salt, int count);

     #include <stdlib.h>

     setkey(const char *key);

DESCRIPTION    [Toc]    [Back]

     The crypt() function performs password encryption.  The encryption scheme
     used by crypt() is dependent upon the contents of the NUL-terminated
     string setting.  If setting begins with the ``$'' character, a non-DES
     encryption scheme is selected (currently MD5 hashing only).  If setting
     begins with the ``_'' character, DES encryption with a user specified
     number of perturbations is selected.  If setting begins with any other
     character, DES encryption with a fixed number of perturbations is

   DES encryption    [Toc]    [Back]
     The DES encryption scheme is derived from the NBS Data Encryption Standard.
  Additional code has been added to deter key search attempts and to
     use stronger hashing algorithms.  In the DES case, the first argument to
     crypt() is a character array, 9 bytes in length, consisting of an underscore
 (``_'') followed by 4 bytes of iteration count and 4 bytes of salt.
     Both the iteration count and the salt are encoded with 6 bits per character,
 least significant bits first.  The values 0 to 63 are encoded by the
     characters ``./0-9A-Za-z'', respectively.

     The salt is used to induce disorder in to the DES algorithm in one of
     16777216 possible ways (specifically, if bit i of the salt is set then
     bits i and i+24 are swapped in the DES ``E'' box output).  The key is
     divided into groups of 8 characters (a short final group is null-padded)
     and the low-order 7 bits of each character (56 bits per group) are used
     to form the DES key as follows: the first group of 56 bits becomes the
     initial DES key.  For each additional group, the XOR of the group bits
     and the encryption of the DES key with itself becomes the next DES key.
     Then the final DES key is used to perform count cumulative encryptions of
     a 64-bit constant.  The value returned is a NUL-terminated string, 20
     bytes in length, consisting of the setting followed by the encoded 64-bit

     For compatibility with historical versions of crypt(3), the setting may
     consist of 2 bytes of salt, encoded as above, in which case an iteration
     count of 25 is used, fewer perturbations of DES are available, at most 8
     characters of key are used, and the returned value is a NUL-terminated
     string 13 bytes in length.

     The functions encrypt(), setkey(), des_setkey() and des_cipher() allow
     limited access to the DES algorithm itself.  The key argument to setkey()
     is a 64 character array of binary values (numeric 0 or 1).  A 56-bit key
     is derived from this array by dividing the array into groups of 8 and
     ignoring the last bit in each group.

     The encrypt() argument block is also a 64 character array of binary values.
  If the value of flag is 0, the argument block is encrypted, otherwise
 it is decrypted.  The encryption or decryption is returned in the
     original array block after using the key specified by setkey() to process

     The des_setkey() and des_cipher() functions are faster but less portable
     than setkey() and encrypt().  The argument to des_setkey() is a character
     array of length 8.  The least significant bit in each character is
     ignored and the next 7 bits of each character are concatenated to yield a
     56-bit key.  The function des_cipher() encrypts (or decrypts if count is
     negative) the 64-bits stored in the 8 characters at in using abs(3) of
     count iterations of DES and stores the 64-bit result in the 8 characters
     at out.  The salt specifies perturbations to DES as described above.

   MD5 encryption    [Toc]    [Back]
     For the MD5 encryption scheme, the version number (in this case ``1''),
     salt and the hashed password are separated by the ``$'' character.  A
     valid password looks like this:


     The entire password string is passed as setting for interpretation.

RETURN VALUES    [Toc]    [Back]

     The function crypt() returns a pointer to the encrypted value on success
     and NULL on failure.  The functions setkey(), encrypt(), des_setkey(),
     and des_cipher() return 0 on success and 1 on failure.  Historically, the
     functions setkey() and encrypt() did not return any value.  They have
     been provided return values primarily to distinguish implementations
     where hardware support is provided but not available or where the DES
     encryption is not available due to the usual political silliness.

SEE ALSO    [Toc]    [Back]

     login(1), passwd(1), getpass(3), md5(3), passwd(5), passwd.conf(5)

     Wayne Patterson, Mathematical Cryptology for Computer Scientists and
     Mathematicians, ISBN 0-8476-7438-X, 1987.

     R. Morris and Ken Thompson, "Password Security: A Case History",
     Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.

     M.E. Hellman, "DES will be Totally Insecure within Ten Years", IEEE
     Spectrum, vol. 16, pp. 32-39, July 1979.

HISTORY    [Toc]    [Back]

     A rotor-based crypt() function appeared in Version 6 AT&T UNIX.  The current
 style crypt() first appeared in Version 7 AT&T UNIX.

BUGS    [Toc]    [Back]

     Dropping the least significant bit in each character of the argument to
     des_setkey() is ridiculous.

     The crypt() function leaves its result in an internal static object and
     returns a pointer to that object.  Subsequent calls to crypt() will modify
 the same object.

BSD                            December 11, 1993                           BSD
[ Back ]
 Similar pages
Name OS Title
crypt Linux password and data encryption
crypt IRIX password and file encryption functions
EVP_BytesToKey OpenBSD password based encryption routine
pw_getconf NetBSD password encryption configuration access function
des_quad_cksum Tru64 Data Encryption Standard (DES) encryption library routines (Auth)
des_string_to_key Tru64 Data Encryption Standard (DES) encryption library routines (Auth)
des_is_weak_key Tru64 Data Encryption Standard (DES) encryption library routines (Auth)
des_key_sched Tru64 Data Encryption Standard (DES) encryption library routines (Auth)
des_crypt Tru64 Data Encryption Standard (DES) encryption library routines (Auth)
yppasswd Tru64 Update user password in Network Information Service (NIS) password map.
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service