======================================================================= :class:`passlib.hash.bigcrypt` - BigCrypt ======================================================================= .. include:: ../_fragments/trivial_hash_warning.rst .. currentmodule:: passlib.hash This class implements BigCrypt (a modified version of DES-Crypt) commonly found on HP-UX, Digital Unix, and OSF/1. The main difference between it and :class:`~passlib.hash.des_crypt` is that BigCrypt uses all the characters of a password, not just the first 8, and has a variable length hash. .. seealso:: :ref:`password hash usage ` -- for examples of how to use this class via the common hash interface. Interface ========= .. autoclass:: bigcrypt() Format ====== An example hash (of the string ``passphrase``) is ``S/8NbAAlzbYO66hAa9XZyWy2``. A bigcrypt hash string has the format :samp:`{salt}{checksum_1}{checksum_2...}{checksum_n}` for some integer :samp:`{n}>0`, where: * :samp:`{salt}` is the salt, stored as a 2 character :data:`hash64 `-encoded 12-bit integer (``S/`` in the example). * each :samp:`{checksum_i}` is a separate checksum, stored as an 11 character :data:`hash64-big `-encoded 64-bit integer (``8NbAAlzbYO6`` and ``6hAa9XZyWy2`` in the example). * the integer :samp:`n` (the number of checksums) is determined by the formula :samp:`{n}=min(1, (len({secret})+7)//8)`. .. note:: This hash format lacks any magic prefix that can be used to unambiguously identify it. Out of context, certain :class:`!bigcrypt` hashes may be confused with that of two other algorithms: * :class:`des_crypt` - BigCrypt hashes of passwords with < 8 characters are exactly the same as the Des-Crypt hash of the same password. * :class:`crypt16` - BigCrypt hashes of passwords with 9 to 16 characters have the same size and character set as Crypt-16 hashes; though the actual algorithms are different. .. rst-class:: html-toggle Algorithm ========= The bigcrypt algorithm is designed to re-use the original des-crypt algorithm: 1. Given a password string and a salt string. 2. The password is NULL padded at the end to the smallest non-zero multiple of 8 bytes. 3. The lower 7 bits of the first 8 characters of the password are used to form a 56-bit integer; with the first character providing the most significant 7 bits, and the 8th character providing the least significant 7 bits. 4. The 2 character salt string is decoded to a 12-bit integer salt value; The salt string uses little-endian :data:`hash64 ` encoding. 5. 25 repeated rounds of modified DES encryption are performed; starting with a null input block, and using the 56-bit integer from step 3 as the DES key. The salt is used to to mutate the normal DES encrypt operation by swapping bits :samp:`{i}` and :samp:`{i}+24` in the DES E-Box output if and only if bit :samp:`{i}` is set in the salt value. 6. The 64-bit result of the last round of step 5 is then lsb-padded with 2 zero bits. 7. The resulting 66-bit integer is encoded in big-endian order using the :data:`hash64-big ` format. This forms the first checksum segment. 8. For each additional block of 8 bytes in the padded password (from step 2), an additional checksum is generated by repeating steps 3..7, with the following changes: a. Step 3 uses the specified 8 bytes of the password, instead of the first 8 bytes. b. Step 4 uses the first two characters from the previous checksum as the salt for the next checksum. 9. The final checksum string is the concatenation of the checksum segments generated from steps 7 and 8, in order. .. note:: Because of the chained structure, bigcrypt has the property that the first 13 characters of any bigcrypt hash form a valid :class:`~passlib.hash.des_crypt` hash of the same password; and bigcrypt hashes of any passwords less than 9 characters will be identical to des-crypt. Security Issues =============== BigCrypt is dangerously flawed: * It suffers from all the flaws of :class:`~passlib.hash.des_crypt`. * Since each checksum component in its hash is essentially a separate des-crypt checksum, they can be attacked in parallel. * It reveals information about the length of the encoded password (to within 8 characters), further reducing the keyspace that needs to be searched for each of the individual segments. * The last checksum typically contains only a few characters of the passphrase, and once cracked, can be used to narrow the overall keyspace. Deviations ========== This implementation of bigcrypt differs from others in two ways: * Maximum Password Size: This implementation currently accepts arbitrarily large passwords, producing arbitrarily large hashes. Other implementation have various limits on maximum password length (commonly, 128 chars), and discard the remaining part of the password. Thus, while Passlib should be able to verify all existing bigcrypt hashes, other systems may require hashes generated by Passlib to be truncated to their specific maximum length. * Unicode Policy: The original bigcrypt algorithm was designed for 7-bit ``us-ascii`` encoding only (as evidenced by the fact that it discards the 8th bit of all password bytes). In order to provide support for unicode strings, Passlib will encode unicode passwords using ``utf-8`` before running them through bigcrypt. If a different encoding is desired by an application, the password should be encoded before handing it to Passlib. .. rubric:: Footnotes .. [#] discussion of bigcrypt & crypt16 - ``_