Encryption vs hashing
Posted Mar 22, 2012 20:08 UTC (Thu) by anselm
In reply to: Encryption vs hashing
Parent article: Shadow hardening
Or they are using Blowfish in a different manner then I understood it to be used.
The original Unix CRYPT mechanism used DES (with a few minor tweaks), which like Blowfish is a symmetric cypher. The way this worked was that the user-provided password was used as the key to encrypt a constant (usually a vector of null bytes). The result was then encrypted again etc., for a total of 25 rounds (which on a PDP-11 took a reasonable amount of time). This is incidentally why Unix passwords used to be limited to 8 (7-bit) characters, which are just enough to make up a 56-bit DES key.
Blowfish-based password »encryption« operates along the same lines – it uses the password as the key, not the plaintext to be encrypted – but makes use of the password in a more complicated manner.
to post comments)