1 .\" Michael Haardt (michael@cantor.informatik.rwth.aachen.de)
2 .\" Sat Sep 3 22:00:30 MET DST 1994
4 .\" %%%LICENSE_START(GPLv2+_DOC_FULL)
5 .\" This is free documentation; you can redistribute it and/or
6 .\" modify it under the terms of the GNU General Public License as
7 .\" published by the Free Software Foundation; either version 2 of
8 .\" the License, or (at your option) any later version.
10 .\" The GNU General Public License's references to "object code"
11 .\" and "executables" are to be interpreted as the output of any
12 .\" document formatting or typesetting system, including
13 .\" intermediate and printed output.
15 .\" This manual is distributed in the hope that it will be useful,
16 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
17 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 .\" GNU General Public License for more details.
20 .\" You should have received a copy of the GNU General Public
21 .\" License along with this manual; if not, see
22 .\" <http://www.gnu.org/licenses/>.
25 .\" Sun Feb 19 21:32:25 1995, faith@cs.unc.edu edited details away
27 .\" TO DO: This manual page should go more into detail how DES is perturbed,
28 .\" which string will be encrypted, and what determines the repetition factor.
29 .\" Is a simple repetition using ECB used, or something more advanced? I hope
30 .\" the presented explanations are at least better than nothing, but by no
33 .\" added _XOPEN_SOURCE, aeb, 970705
34 .\" added GNU MD5 stuff, aeb, 011223
36 .TH CRYPT 3 2017-09-15 "" "Linux Programmer's Manual"
38 crypt, crypt_r \- password and data encryption
41 .BR "#define _XOPEN_SOURCE" " /* See feature_test_macros(7) */"
42 .B #include <unistd.h>
44 .BI "char *crypt(const char *" key ", const char *" salt );
46 .BR "#define _GNU_SOURCE" " /* See feature_test_macros(7) */"
49 .BI "char *crypt_r(const char *" key ", const char *" salt ,
50 .BI " struct crypt_data *" data );
53 Link with \fI\-lcrypt\fP.
56 is the password encryption function.
57 It is based on the Data Encryption
58 Standard algorithm with variations intended (among other things) to
59 discourage use of hardware implementations of a key search.
62 is a user's typed password.
65 is a two-character string chosen from the set
66 [\fBa\-zA\-Z0\-9./\fP].
67 This string is used to
68 perturb the algorithm in one of 4096 different ways.
70 By taking the lowest 7 bits of each of the first eight characters of the
72 a 56-bit key is obtained.
73 This 56-bit key is used to encrypt repeatedly a
74 constant string (usually a string consisting of all zeros).
76 value points to the encrypted password, a series of 13 printable ASCII
77 characters (the first two characters represent the salt itself).
78 The return value points to static data whose content is
79 overwritten by each call.
81 Warning: the key space consists of
84 equal 7.2e16 possible values.
85 Exhaustive searches of this key space are
86 possible using massively parallel computers.
89 is available which will search the portion of this key space that is
90 generally used by humans for passwords.
91 Hence, password selection should,
92 at minimum, avoid common words and names.
95 program that checks for crackable passwords during the selection process is
98 The DES algorithm itself has a few quirks which make the use of the
100 interface a very poor choice for anything other than password
102 If you are planning on using the
104 interface for a cryptography project, don't do it: get a good book on
105 encryption and one of the widely available DES libraries.
108 is a reentrant version of
110 The structure pointed to by
112 is used to store result data and bookkeeping information.
113 Other than allocating it,
114 the only thing that the caller should do with this structure is to set
116 to zero before the first call to
119 On success, a pointer to the encrypted password is returned.
120 On error, NULL is returned.
125 has the wrong format.
130 function was not implemented, probably because of U.S.A. export restrictions.
131 .\" This level of detail is not necessary in this man page. . .
133 .\" When encrypting a plain text P using DES with the key K results in the
134 .\" encrypted text C, then the complementary plain text P' being encrypted
135 .\" using the complementary key K' will result in the complementary encrypted
138 .\" Weak keys are keys which stay invariant under the DES key transformation.
139 .\" The four known weak keys 0101010101010101, fefefefefefefefe,
140 .\" 1f1f1f1f0e0e0e0e and e0e0e0e0f1f1f1f1 must be avoided.
142 .\" There are six known half weak key pairs, which keys lead to the same
143 .\" encrypted data. Keys which are part of such key clusters should be
145 .\" Sorry, I could not find out what they are.
148 .\" Heavily redundant data causes trouble with DES encryption, when used in the
154 .\" interface should be used only for its intended purpose of password
155 .\" verification, and should not be used as part of a data encryption tool.
157 .\" The first and last three output bits of the fourth S-box can be
158 .\" represented as function of their input bits. Empiric studies have
159 .\" shown that S-boxes partially compute the same output for similar input.
160 .\" It is suspected that this may contain a back door which could allow the
161 .\" NSA to decrypt DES encrypted data.
163 .\" Making encrypted data computed using crypt() publicly available has
164 .\" to be considered insecure for the given reasons.
167 .I /proc/sys/crypto/fips_enabled
169 and an attempt was made to use a weak encryption type, such as DES.
171 For an explanation of the terms used in this section, see
177 Interface Attribute Value
180 T} Thread safety MT-Unsafe race:crypt
183 T} Thread safety MT-Safe
187 POSIX.1-2001, POSIX.1-2008, SVr4, 4.3BSD.
191 .SS Availability in glibc
197 functions are part of the POSIX.1-2008 XSI Options Group for Encryption
199 If the interfaces are not available then the symbolic constant
201 is either not defined or defined to -1, and can be checked at runtime with
203 This may be the case if the downstream distribution has switched from glibc
205 When recompiling applications in such distributions the
208 is not available and include crypt.h for the function prototypes;
210 libxcrypt is a ABI compatible drop-in replacement.
211 .SS Features in glibc
212 The glibc version of this function supports additional
213 encryption algorithms.
217 is a character string starting with the characters "$\fIid\fP$"
218 followed by a string optionally terminated by "$",
219 then the result has the form:
222 $\fIid\fP$\fIsalt\fP$\fIencrypted\fP
226 identifies the encryption method used instead of DES and this
227 then determines how the rest of the password string is interpreted.
228 The following values of
237 2a | Blowfish (not in mainline glibc; added in some
238 | Linux distributions)
239 .\" openSUSE has Blowfish, but AFAICS, this option is not supported
240 .\" natively by glibc -- mtk, Jul 08
243 .\" glibc doesn't appear to natively support Sun MD5; I don't know
244 .\" if any distros add the support.
245 5 | SHA-256 (since glibc 2.7)
246 6 | SHA-512 (since glibc 2.7)
250 Thus, $5$\fIsalt\fP$\fIencrypted\fP and $6$\fIsalt\fP$\fIencrypted\fP
251 contain the password encrypted with, respectively, functions
252 based on SHA-256 and SHA-512.
254 "\fIsalt\fP" stands for the up to 16 characters
255 following "$\fIid\fP$" in the salt.
256 The "\fIencrypted\fP"
257 part of the password string is the actual computed password.
258 The size of this string is fixed:
262 SHA-256 | 43 characters
263 SHA-512 | 86 characters
266 The characters in "\fIsalt\fP" and "\fIencrypted\fP" are drawn from the set
267 [\fBa\-zA\-Z0\-9./\fP].
268 In the MD5 and SHA implementations the entire
270 is significant (instead of only the first
274 .\" glibc commit 9425cb9eea6a62fc21d99aafe8a60f752b934b05
275 the SHA-256 and SHA-512 implementations support a user-supplied number of
276 hashing rounds, defaulting to 5000.
277 If the "$\fIid\fP$" characters in the salt are
278 followed by "rounds=\fIxxx\fP$", where \fIxxx\fP is an integer, then the
282 $\fIid\fP$\fIrounds=yyy\fP$\fIsalt\fP$\fIencrypted\fP
285 where \fIyyy\fP is the number of hashing rounds actually used.
286 The number of rounds actually used is 1000 if
291 is greater than 999999999, and