From: SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 31-JAN-1994 09:00:31.05 To: EVERHART CC: Subj: RE: Password hashing algorithm Message-Id: <9401290236.AA19605@uu3.psi.com> Date: Fri, 28 Jan 94 21:36:48 EDT From: Jerry Leichter To: INFO-VAX@SRI.COM Subject: RE: Password hashing algorithm X-Vms-Mail-To: UUCP%"ewilts@vmsmail.gov.bc.ca" I'm looking for documentation on a one-way password-hashing algorithm. We're using a product now for which the password can be decrypted and I'd like to point the vendor at a one-way encryption method. Is VMS's Purdy algorithm documented anywhere? There's a reference in the listings (which I don't have handy) to an article that appeared many years ago in, I think, the Communications of the ACM. I'm sure someone will be able to dig up the reference. The Unix password hashing algorithm is based on variants of DES - the "salt" value perturbs the DES encryption tables. I don't recall ever seeing the exact techniques in print, though they are widely known, as Unix-style pass- word hashing has been re-implemented in several free Unix implementations. A technique I saw proposed many years ago, but never really fully analyzed, works as follows. Choose two functions p0(x) and p1(x). Both functions should map 32-bit (say) integers to themselves, and should be close to 1-1 functions over that range. The functions must NOT commute (i.e., in general we must have p0(p1(x)) != p1(p0(x))) or obey any other simple relations. A possible choice is p0(x) = 3x + 1 (ignoring overflows) and p1(x) = (x ROT 5) XOR hex 30303030, where "ROT 5" rotates the bits in x 5 positions to the right. If the input key is k, written out as bits k31 k30 ... k0, then define h(k) = pk31(pk30( ... (pk0(k))...) where pk31 means p0 if k31=0, p1 if k31=1. Of course, reducing k to only 32 bits makes brute-force attacks too easy. If k is, say, 64 bits - a common size for this kind of work - you can split it into two 32 bit halves, then do the same thing on both halves side by side, XOR'ing the value on the right side into the left every couple of rounds, and the value on the left into the right similarly. Almost any hash function you define this way should be proof against even a fairly sophisticated attack. (Whether it will survive someone who really applies some mathematics to it, I couldn't say. How important is this all to you?) I should add that this routine will not be running on VMS (it will be Mac-based) so that I can't call $HASH_PASSWORD. -- Jerry