|| ||Solar Designer <solar-AT-openwall.com>|
|| ||crypt_blowfish 1.0|
|| ||Tue, 7 Feb 2006 12:07:55 +0300|
This is to announce the first mature version of crypt_blowfish and the
minor security fix that this version adds.
crypt_blowfish is a public domain implementation of a modern password
hashing algorithm based on the Blowfish block cipher, provided via the
crypt(3) and a reentrant interface. It is compatible with bcrypt
(version 2a) by Niels Provos and David Mazieres, as used in OpenBSD.
The homepage for crypt_blowfish is:
The most important property of bcrypt (and thus crypt_blowfish) is that
it is adaptable to future processor performance improvements, allowing
you to arbitrarily increase the processing cost of checking a password
while still maintaining compatibility with your older password hashes.
Already now bcrypt hashes you would use are several orders of magnitude
stronger than traditional Unix DES-based or FreeBSD-style MD5-based
Besides providing a bcrypt implementation, the crypt_blowfish package
also includes a generic password hashing framework and hooks for
introducing this framework into the GNU C Library. The provided
functions include crypt_gensalt*(), a family of functions for generating
"salts" for use with common Unix password hashing methods (that is, not
only with bcrypt).
Marko Kreen has discovered and reported a minor security bug in
crypt_blowfish 0.4.7 and below. The bug affected the way salts for
BSDI-style extended DES-based and for FreeBSD-style MD5-based password
hashes were generated with the crypt_gensalt*() functions. It would
result in a higher than expected number of matching salts with large
numbers of password hashes of the affected types. crypt_gensalt*()'s
functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish
itself implements and for traditional DES-based crypt(3) hashes was not
Since bcrypt hashes were not affected, default installs of
Openwall GNU/*/Linux (Owl) were never affected either. The specific
impact this could have on non-default installs of Owl is described in
the latest Owl-current change log entry for glibc:
Since Owl 2.0 is scheduled to be released really soon and since the bug
is minor, we are not planning a similar glibc update for Owl 1.1-stable.
Instead, the 1.1-stable branch will be obsoleted by the new release.
For those curious about the nature of the bug, it was unintended sign
extension on a typecast.
As this crypt_blowfish bug is my own, and as I was well aware of this
pitfall and avoided it in other places, I am very embarrassed about
this. I apologize to anyone who might be affected for the exposure and
inconvenience this causes.
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
to post comments)