Difference between pages "AFF Development Task List" and "Operating System Password Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(High Priority)
 
(New page: ==Unix/Linux Password File== Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file...)
 
Line 1: Line 1:
== High Priority ==
+
==Unix/Linux Password File==
 +
Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
  
* Create man pages and/or documentation for AFF toolkit. To wit:
+
{| class="wikitable" border="1"
 +
|-
 +
!Username
 +
|The user's username
 +
|-
 +
!Password
 +
|Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
 +
|-
 +
!UID
 +
|The numeric user ID of the user
 +
|-
 +
!GID
 +
|The primary numeric group ID of the user
 +
|-
 +
!GECOS Field
 +
|This is a text field which may contain information about the user such as name and contact details
 +
|-
 +
!Home directory
 +
|The user's home directory
 +
|-
 +
!Shell
 +
|The user's Unix shell
 +
|}
 +
<pre>
 +
user1:x:600:600:User 1:/home/user1:/bin/bash
 +
user2:x:601:601:User 2:/home/user2:/bin/bash
 +
admin:x:602:602:Admin Account:/home/admin:/bin/bash
 +
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
 +
someguy:x:604:604:Someguy:/home/someguy:/bin/bash
 +
</pre>
  
* [[aimage]]
+
The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
* [[ident]]
+
* [[afcat]]
+
* [[afcompare]]
+
* [[afconvert]]
+
* [[affix]]
+
* [[affuse]]
+
* [[afinfo]]
+
* [[afstats]]
+
* [[afxml]]
+
* [[afsegment]]
+
  
* Create man pages and/or documentation for AFF library functions (e.g. ,<tt>af_open</tt>, <tt>af_get_imagesize</tt>)
+
===Unix Crypt===
 +
The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
  
* Build library as a shared library using libtool. This will allow developers using the library to just link to the AFF. Without it, developers must link to the static library and the individual libraries necessary <em>on that machine</em>. There is no good way to determine those extra libraries.
+
<pre>
 +
jim@localhost ~
 +
$ crypt hello
 +
S84xRArsM.gtk
 +
</pre>
  
* Document that <tt>af_write</tt> may not be called without first setting the <tt>image_pagesize</tt> value inside of the <tt>AFFILE</tt> structure. Not doing so causes a divide by zero error. Perhaps we should 1. Check that <tt>image_pagesize</tt> is not zero and 2. Set <tt>image_pagesize</tt> to a known good default value when opening a new AFF file for writing.
+
In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
  
== Medium Priority ==
+
<pre>
 +
jim@localhost ~
 +
$ crypt xx hellohel
 +
xxiHMKqoMTDuc
  
* How about renaming the library to libaff? That would allow developers to link with <tt>-laff</tt> instead of <tt>-lafflib</tt>. To my knowledge, there is no existing library named AFF already.
+
jim@localhost ~
 +
$ crypt xx hellohello
 +
xxiHMKqoMTDuc
 +
</pre>
  
* Is there a set of segment names that must be defined to have a ''valid'' AFF file?
+
===Salts===
 +
Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult.
  
* Document that <tt>af_open</tt> (when writing a file) does more than a standard <tt>fopen</tt> command. The command writes an AFF stub of some kind to the output file. Users should be cautioned not to use this function as a test, lest they overwrite data.
 
  
* Does <tt>af_open</tt> refuse to open a file for writing if it already exists? If so, what kind of error does it return?
+
===MD5/SHA1===
  
* Document how to programmatically enumerate all segments and values in a file. That is, explain how to get the output of <tt>$ afinfo -a</tt>.
+
NIS
 
+
== Low Priority ==
+
 
+
* Add library function to open standard input. Perhaps:
+
 
+
<pre>AFFILE * af_open_stdin(void);</pre>
+

Revision as of 05:58, 19 June 2008

Unix/Linux Password File

Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.

Username The user's username
Password Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
UID The numeric user ID of the user
GID The primary numeric group ID of the user
GECOS Field This is a text field which may contain information about the user such as name and contact details
Home directory The user's home directory
Shell The user's Unix shell
user1:x:600:600:User 1:/home/user1:/bin/bash
user2:x:601:601:User 2:/home/user2:/bin/bash
admin:x:602:602:Admin Account:/home/admin:/bin/bash
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
someguy:x:604:604:Someguy:/home/someguy:/bin/bash

The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.

Unix Crypt

The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.

jim@localhost ~
$ crypt hello
S84xRArsM.gtk

In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.

jim@localhost ~
$ crypt xx hellohel
xxiHMKqoMTDuc

jim@localhost ~
$ crypt xx hellohello
xxiHMKqoMTDuc

Salts

Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult.


MD5/SHA1

NIS