Results 1 to 6 of 6

Thread: MD5 Encryption

  1. #1
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    MD5 Encryption

    I have just been upgrading my Red Hat 9 system to Fedora Core 6 (a story in its own right!) and have been looking to protect the grub menu.

    The grub instructions about generating a hashed password for the grub.conf file are pretty clear , using the grub md5crypt instruction, which gives the following hash for the word 'password' (used as an example only!)

    $1$nyMk1$VBJSB8bk/te5dUw4G84Z3.

    However if I run the command again I get

    $1$G8Nk1$QkEtA9YXJKh9oI/I.j7jN/

    and yet again

    $1$nINk1$2jBs1k3Hhp5sN33dEostI1

    All are different, yet if I paste any of those into teh grub.conf file the system works as expected! The only common feature is the $1$ at the start of each hash.

    Now if I use md5sum command on the word password, I get

    5f4dcc3b5aa765d61d8327deb882cf99

    consistently - yet this does not work in the grub.conf file and I get incorrect password returned! However that does work in other applications that use MD5 passwords (for example login passwords stored in a mysql database.

    While I understand the principles of hashing passwords, what is happening in this instance? Can anyone explain what is happening please - Google and the FC books have failed so far! (My guess is that there is some form of symmetric encryption going on, that is (obviously) different from a plain hashed password.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  2. #2
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    385 times in 314 posts
    Id love to help you on this one , but I'm afraid its beyond me. I'll ask around to see if I can find a better answer.
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  3. #3
    Agent of the System ikonia's Avatar
    Join Date
    May 2004
    Location
    South West UK (Bath)
    Posts
    3,736
    Thanks
    39
    Thanked
    75 times in 56 posts
    reading up on the technique your using - its not actually a binary its a shell script.

    it actually invokes grub with the --batch option.

    This is the part I'm not %100 clear on as I'm reading this as I type, but running in --batch mode sets a unique identifier (random) for the "batch" job (terrible wording) its processing, it then runs md5cypt I think the unique identifier is being used as the random seed for the cypt in this senario.

    I'm not %100 on this as I said, I'm reading info on this as I type it, but looking at the script and from what I'm reading thats the case. That seed is embeded into "grub" when its written to the boot sector I assume.

    I'll do a bit more of a proper look tonight as I can access something to test on.
    It is Inevitable.....


  4. #4
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts
    Thank you both, and Ikonia for the insight about the script - I will have another look at that aspect too!

    Wrestling with Logical volume management at the moment - somewhat disappointed to find that ext3 formatted LVs cannot be grown without unmounting them (contrary to some documaentaion) which is not a great problem for /home directories, but is for other mount points (such as /var, which I was intending to give its own LV) Seems more faff to grow those than it is to use the excellent gparted live CD to resize partitions! The only advantage seems to be the ability to migrate data across physical hard drives that form part of one LV.

    Incidentally, (Ikonia) a few months ago you recommended "Understanding the Linux Kernel". I only understood about 20% of it, but it was instrumental in persuading me to upgrade to the 2.6 Kernel (the other facor was the death of the Fedora Legacy support programme). The 2.6 kernel seems FAR more efficient at memory management than the 2.4.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  5. #5
    Agent of the System ikonia's Avatar
    Join Date
    May 2004
    Location
    South West UK (Bath)
    Posts
    3,736
    Thanks
    39
    Thanked
    75 times in 56 posts
    glad you found the book useful, the more you use the more you'll re-reference that book and understand more.

    ext3 volumes can be extended online there are just a few tricks to it, and the redhat/fedora tools don't make it easy.

    Have a look at fsadm and e2fsadmin then do a little google for redhat on these two topics and you'll find all the little glitches and work arounds - it does work.

    If you want more detail let me know and I'll go through it all with you in tedious detail that I'll not take this thread off topic with or send the forum to sleep with.
    It is Inevitable.....


  6. Received thanks from:

    peterb (11-07-2007)

  7. #6
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts
    Just done a bit more googling based on the leads you suggested and found this site

    http://search.cpan.org/~zefram/Authe.../Passphrase.pm

    The relevant extracts are:

    crypt encoding

    The Unix crypt() function, which performs passphrase hashing, returns hashes in a textual format intended to be stored in a text file. In particular, such hashes are stored in /etc/passwd (and now /etc/shadow) to control access to Unix user accounts. The same textual format has been adopted and extended by other passphrase-handling software such as password crackers.

    For historical reasons, there are several different syntaxes used in this format. The original DES-based password scheme represents its hashes simply as a string of thirteen base 64 digits. An extended variant of this scheme uses nineteen base 64 digits, preceded by an "_" marker. A more general syntax was developed later, which starts the string with "$", an alphanumeric scheme identifier, and another "$".

    In addition to actual passphrase hashes, the crypt format can also represent a couple of special cases. The empty string indicates that there is no access control; it is possible to login without giving a passphrase. Finally, any string that is not a possible output of crypt() may be used to prevent login completely; "*" is the usual choice, but other strings are used too.

    crypt strings are intended to be used in text files that use colon and newline characters as delimiters. This module treats the crypt string syntax as being limited to ASCII graphic characters excluding colon.

    RFC 2307 encoding
    RFC 2307 describes an encoding system for passphrase hashes, to be used in the "userPassword" attribute in LDAP databases. It encodes hashes as ASCII text, and supports several passphrase schemes in an extensible way by starting the encoding with an alphanumeric scheme identifier enclosed in braces. There are several standard scheme identifiers. The "{CRYPT}" scheme allows the use of any crypt encoding.

    This module treats the RFC 2307 string syntax as being limited to ASCII graphic characters.

    The RFC 2307 encoding is a good one, and is recommended for storage and exchange of passphrase hashes.

    CONSTRUCTORS
    Authen:assphrase->from_crypt(PASSWD)
    Returns a passphrase recogniser object matching the supplied crypt encoding. This constructor may only be called on the base class, not any subclass.

    The specific passphrase recogniser class is loaded at runtime, so successfully loading Authen:assphrase does not guarantee that it will be possible to use a specific type of passphrase recogniser. If necessary, check separately for presence and loadability of the recogniser class.

    Known scheme identifiers:

    $1$
    A baroque passphrase scheme based on MD5, designed by Poul-Henning Kamp and originally implemented in FreeBSD. See Authen:assphrase::MD5Crypt.
    and

    The MD5-based crypt() scheme uses the whole passphrase, a salt which can in principle be an arbitrary byte string, and the MD5 message digest algorithm. First the passphrase and salt are hashed together, yielding an MD5 message digest. Then a new digest is constructed, hashing together the passphrase, the salt, and the first digest, all in a rather complex form. Then this digest is passed through a thousand iterations of a function which rehashes it together with the passphrase and salt in a manner that varies between rounds. The output of the last of these rounds is the resulting passphrase hash.

    In the crypt() function the raw hash output is then represented in ASCII as a 22-character string using a base 64 encoding. The base 64 digits are ".", "/", "0" to "9", "A" to "Z", "a" to "z" (in ASCII order). Because the base 64 encoding can represent 132 bits in 22 digits, more than the 128 required, the last digit can only take four of the base 64 digit values. An additional complication is that the bytes of the raw algorithm output are permuted in a bizarre order before being represented in base 64.

    There is no tradition of handling these passphrase hashes in raw binary form. The textual encoding described above, including the final permutation, is used universally, so this class does not support any binary format.
    (The smilys are an interpretation by the messgae board softeware of the syntax used in the quote)

    Still looking at LVM - thank you!

    just found this at http://tldp.org/HOWTO/LVM-HOWTO/extendlv.html

    For ext2 there is an easier way. LVM 1 ships with a utility called e2fsadm which does the lvextend and resize2fs for you (it can also do file system shrinking, see the next section).


    LVM 2 Caveat
    There is currently no e2fsadm equivalent for LVM 2 and the e2fsadm that ships with LVM 1 does not work with LVM 2.


    so the single command
    I am using LVM 2.02.17 - e2fsadm looks as if it was an LVM 1 tool (the book I am using - "Fedora Linux" - refers to on-line resizing upwards using the graphical interface, but again that fails on my system with mounted filesystems)
    Last edited by peterb; 04-07-2007 at 02:21 PM.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. MD5 encryption
    By peterb in forum Help! Quick Relief From Tech Headaches
    Replies: 0
    Last Post: 02-07-2007, 06:55 PM
  2. Encryption wont work - Belkin Wireless network card - F5D7011
    By adam1701 in forum Networking and Broadband
    Replies: 0
    Last Post: 11-11-2006, 02:44 PM
  3. Replies: 3
    Last Post: 28-12-2005, 02:39 PM
  4. Can I enter an encryption code into ibook?
    By garyb in forum Apple Mac
    Replies: 5
    Last Post: 07-04-2005, 11:46 PM
  5. What Pocket PC encryption software
    By ed^chigliak in forum PC Hardware and Components
    Replies: 3
    Last Post: 01-06-2004, 08:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •