Connect to the Purdue Home Page

Purdue University

Identity and Access Management

Realm Encryption Types

Authentication passwords are not stored in clear-text form. Rather, they are encrypted, and only the encrypted form is stored. Later, when a user attempts to authenticate by password, the user-supplied password is re-encrypted by authcnetd, and the result compared with the previously encrypted password stored in the authentication DBM. The authentication DBM supports several standard encryption methods of varying cryptographic strength. Realms that wish to support their own encryption methods may do so by specifying an encryption type of NULL.

Encryption Type Characteristics:

  • A realm's encryption type is set in the realm configuration file.

  • Implementations of the encryption algorithms either use available operating system library functions (e.g., crypt(3c)) or are taken from public domain sources (e.g., the OpenSSL project).

  • Strength. Some encryption methods are inherently stronger than others. For instance, DES encryption can now be broken through "brute-force" methods if the attacker can get access to the encrypted text. Encrypted passwords are only stored internally in the authentication DBM, and there is no protocol mechanism to examine them. Many attackers use so-called dictionary attacks, i.e., they repeatedly guess passwords and test their guesses by attempting to authenticate, often using word lists from various dictionaries. Since some users choose weak passwords, dictionary attacks can be successful regardless of the strength of the encryption type. The authentication DBM provides some defenses against dictionary attacks.

Available Encryption Types:

  • NULL - Realms that want to implement their own encryption method may specify the NULL type. N.B.: When ETYPE is NULL, all encryption functions must be implemented in the clients of authcnetd. For all other encryption types, passwords are sent to authcnetd in clear-text, and all encryption is handled by authcnetd.

  • DES - UNIX crypt(3) encryption based on the 56 bit Data Encryption Standard (DES) algorithm.

  • LDES - "long" DES, used on Hewlett-Packard HP-UX systems. Up to 16 character passwords may be used.

Feedback | Contact Purdue
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.