Realm Encryption Types
Authentication passwords are not stored in clear-text form. Rather, they are encrypted, and only the encrypted form is stored. Later, when a user attempts to authenticate by password, the user-supplied password is re-encrypted by authcnetd, and the result compared with the previously encrypted password stored in the authentication DBM. The authentication DBM supports several standard encryption methods of varying cryptographic strength. Realms that wish to support their own encryption methods may do so by specifying an encryption type of NULL.
Encryption Type Characteristics:
-
A realm's encryption type is set in the
realm configuration file.
-
Implementations of the encryption algorithms either use available operating system library functions (e.g., crypt(3c))
or are taken from public domain sources (e.g., the OpenSSL project).
-
Strength. Some encryption methods are inherently stronger than others. For instance, DES encryption can now be
broken through "brute-force" methods if the attacker can get access to the encrypted text. Encrypted passwords are only
stored internally in the authentication DBM, and there is no protocol mechanism to examine them. Many attackers use so-called
dictionary attacks, i.e., they repeatedly guess passwords and test their guesses by attempting to authenticate, often using
word lists from various dictionaries. Since some users choose weak passwords, dictionary attacks can be successful regardless
of the strength of the encryption type. The authentication DBM provides some
defenses against
dictionary attacks.
Available Encryption Types:
-
NULL - Realms that want to implement their own encryption method may specify the NULL type. N.B.: When ETYPE is NULL,
all encryption functions must be implemented in the clients of authcnetd. For all other encryption types, passwords are
sent to authcnetd in clear-text, and all encryption is handled by authcnetd.
-
DES - UNIX crypt(3) encryption based on the 56 bit Data Encryption Standard (DES) algorithm.
-
LDES - "long" DES, used on Hewlett-Packard HP-UX systems. Up to 16 character passwords may be used.