man crypt (Nouveau) - Procedures to generate/check 3DES/MD5 passwords
NAME
crypt - Procedures to generate/check 3DES/MD5 passwords
SYNOPSIS
package require Tcl 8 package require crypt ?1.0? ::crypt::random seed number|channelId ::crypt::random get ?min max? ::crypt::random salt des|md5 ::crypt::password salt|encryptedPassword
DESCRIPTION
This package provides functions to generate/check 3DES/MD5 passwords often used in UN*X environments. It has a pseudo-random generator for "salting" the generated passwords, that means: making them partly random.
- ::crypt::random seed number|channelId
- Sets the random seed to number, if a number is given. Otherwise, the given argument is treated as a channel name from which random data can be read. The file should be entropy-driven, e.g. a device node leading to a hardware random generator or the like. One may use /dev/random on systems that provide it. The amount of data read is determined by the system's requirements for random seeds and is often from 4 to 8 byte. Important: The call blocks if there is no data to read. In the case of /dev/random, there is no entropy left to generate really random numbers. In that case, simply move the mouse to get some randomness into the computer. Never use another pseudo-random generator like /dev/urandom as seed input! Also never use a constant as seed! This "seed" function should be used regularily in your program, depending on how often you generate a random number/salt value. It's a good advice to "re-seed" the random generator each thousand "salts" produced. If you ignore this notice, the resulting "salts" are only pseudo-random and predictable and the resulting passwords are weak.
- ::crypt::random get ?min max?
- Get some random value from within the given range (min is included, max is not included). None or both parameters have to be given, and both have to be integers between 0 and RAND_MAX. The latter value is given by the system and the latter pair is the default for min and max if no values are given. Notice: You have to "seed" the random generator before using it. See ::crypt::random seed.
- ::crypt::random salt des|md5
- Generate a salt value for 3DES/MD5 passwords. This value can be used to generate a new password. Notice: You have to "seed" the random generator before using it. See ::crypt::random seed.
- ::crypt::password password salt|encryptedPassword
- Encrypt or check a password. The given clear text password is encrypted with the given salt. If there is given an encryptedPassword instead of a plain "salt", the salt is extracted from the encryptedPassword and the clear text password is encrypted with that "salt". The latter case can be used to check a clear text password against a given encrypted one. Just check if the encrypted clear text password is identical to the encryptedPassword afterwards. Notice: It's just not possible to decrypt the encryptedPassword. This is intentional and due to the 3DES/MD5 algorithm, which was used to encrypt it on first hand. That means, you can only check if the password has been correct if you have known it, but it's impossible to guess it from the encrypted form.
EXAMPLES
- Set up the random generator:
- set fd [ open /dev/random r ] ::crypt::random seed $fd close $fd
- Encrypt a password given on stdin and check it:
- puts "Enter clear text password:" set ENCRYPTED_PASSWORD [ ::crypt::password [ gets stdin ] [ ::crypt::random salt md5 ] ] puts "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" puts "The encrypted password is $ENCRYPTED_PASSWORD." puts "Guess the clear text password:" if { [ ::crypt::password [ gets stdin ] $ENCRYPTED_PASSWORD ] == $ENCRYPTED_PASSWORD } { puts "Correct." } { puts "Wrong." }
KEYWORDS
encryption, password, random