Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


Historically, cryptography has been used in early ages. War has played a big role of improving this discipline. One of the well known encryption and decryption algorithms has been used by Julius Caesar in his private correspondence. The encryption was simply done by shifting letters down the alphabets three times, so A will be converted to D and B to E and Z to C and so on. Only the receiver of the latter knows the shifting numbers. In addition the first computer in the world which was the size of a big room has been invented in Manchester, England solely to break the German Enigma code. The existence of this computer was a top secret.

In this article I will explain the use of encryption, decryption, encoding/hashing and salt in Linux based systems. Firstly let us define the following terms:

Encryption: To convert plain text to a form called ciphertext by using a predefined key that can only be understood by authorized recipients.

Decryption: Is the opposite of encryption and it involves the conversion of ciphertext to a plain text by using a predefined key.

Hashing/encoding: is a one-way encryption of string to a fixed length ciphertext by using a key. However, it does not have a way of decryption and usually gets broken by comparison by using rainbow tables, dictionary attacks or bruteforce.

Rainbow tables: is a pre-computed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ a salt to make this attack infeasible. This method has become very popular for breaking the hash code as memory is nowadays cheap. But as mentioned the use of salt make it harder to break

Salt: Is a random string of data that is generated from [a-z], [A-Z] or [0-9./]. It gets combined with hashing to avoid password collision (if two users have selected the same password) and it prevents the attacker from testing known dictionary words.

In early Linux systems passwords used to be stored in /etc/passwd in the following form:
username:passwd:UID:GID:full_name:directory:shell
for example:

amin:Tlrhswopljjan:503:100:amin salim:/home/amin:/bin/sh


the /etc/passwd file is globally readable as it contains information such as the user ID and group ID which are required by many system programs and that makes it very vulnerable for attackers especially those who use dictionary attacks and include the 4096 possible outcomes when using only 128 bit  for salting.

Fortunately, new Linux system store that password in /etc/shadow which is only readable for the root user. This way the attacker does not have access to the encoded password so dictionary attacks and rainbow comparison are not feasible. The information will be stored in the following form:

amin$6$.R/mk/Uv$7b.9w/5W4exX3kGRPR5gC63fPEqgzEKyBRXogMJ.WANpszWvcB4z..PHDL3M4FXnBjlzpQJYzHXw92HUtwm3Y0:14703:0:99999:7:::

Earlier Linux systems used to use 1 between the first and the second dollar sign to represent the hashing algorithm followed by letters, signs and numbers between the second and the third dollar sign to represent the salt. What comes after the third dollar sign is the hash for the combined salt and password.  The $1$ is a reference for md5 hashing algorithm which output  a fixed 24 characters and  is no longer used in new systems as it is now considered broken. Currently the $6$ is used as a reference to SHA-512 hashing algorithm which outputs a fixed 86 characters. The size of md5 is 128 bits and the size of SHA-512 is 512 bits. So much more possibilities/combinations the SHA-512 outputs thus much bigger rainbow table is needed and much more computational time is needed for dictionary attacks even if parallel computers are used for cracking.

One of the problems that may arise is hashing collision when using hashing function that has small range (i.e. crc32(supersecretpassword) and crc32('MTIxMjY5MTAwNg==') will output the same hash which is 323322056)[1]. Another problem that may arise is the vulnerability towards rainbow tables and this can be solved by using unique salt for every password. A good source for the unique salt is the user ID.
Makepassword is a useful tool for Linux administrators. You can play around with it to understand how Linux create and save passwords. To install this tool open a terminal and type the following:
$sudo apt-get install makepasswd

To generate random md5 passwords type:

$makepasswd crypt-md5




To generate random SHA-512 passwords type:

$mkpasswd -m SHA-512



To compare your stored hash with the accurate password and salt do the following:
know your salt by typing:

$sudo gedit /etc/shadow



then scroll down until you find your username. Then copy the salt and type the following:

$mkpasswd -m sha-512 abdfr HYZPGsUq



Were abdfr is the actual password for the particular user above and HYZPGsUq
 is the salt copied from the shadow file above as well. The outcome of this command will be the hash that you find after the third dollar sign in the row that starts with the same username.

It is possible to use 'mkpasswd' command in variety of ways to have different outcomes by using particular arguments. Type:

$man makepasswd



Linux handle password verification for logging in by retrieving only the salt from the shadow file and add it to the password that the user enters. Then the hashing function is used to encode the salt and the provided password and compare the result with hash in the shadow file, if they match the user can log in.

Encrypting the home folder

To encrypt the home folder we need to install ecryptfs-utils command line utility first. Open a terminal and type the following:

$sudo apt-get install ecryptfs-utils



Once installed type the following:

$sudo ecryptfs-migrate-home -u <username>



And replace username with the username of the user you want to encrypt his home folder. Then log out and log in to the account of the user in context. A message will appear  and you should click on 'Run this action now'. Then a pass-phrase will be generated (for decryption) that you should copy and keep it in a safe place. If you ever lost your pass-phrase type the following command for its recovery:

$ecryptfs-unwrap-passphrase



And enter the log in password.


[1] This example is from (http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/)


Author Profile

My name is Amin Salim and I am Sudanese born in Kuwait. I hold a degree in Information Systems (BSC) from the University of Leeds. I have worked as a research assistant for a local expertise and consultancy firm called (SUDEXAM). Then I travelled to Sierra Leone and worked for the project development unit as an Information Systems engineer. My role was doing the financial analysis and the whole editing for the feasibility studies and providing technical support. I am flexible, and a good team player as realized from conducting feasibility studies with people from different backgrounds and qualifications. Afterwards I came back to Sudan and worked as self-employed software engineer and have developed a system by myself from scratch for a charity eye-hospital. The system functionality was to keep track of stock and sales (written in Java). I am very versatile individual as proven from working on different disciplines and always looking to improve my skills.




Rate This Article: poorexcellent
 
Comments about this article

Comment title: * please do not put your response text here