String#crypt first 8 characters

pjpatten · December 5, 2006, 2:09pm

Hello,

i had a problem with str.crypt - i got every time the same result. The
problem is, that this method only use the first 8 characters of the
string:

irb(main):022:0> “1234567”.crypt(‘aa’)
=> “aaOK9MRbwVNmQ”
irb(main):023:0> “12345678”.crypt(‘aa’)
=> “aaNN3X.PL2piw”
irb(main):024:0> “123456789”.crypt(‘aa’)
=> “aaNN3X.PL2piw”

If it is a feature not a bug, it should not be an undocumented feature
. ruby-doc.org doesn’t told me about this behaviour.

Have a nice day,
Patrick

pjpatten · December 5, 2006, 2:47pm

----- Original Message -----
From: Patrick P.
Date:
Tuesday, December 5, 2006 2:09 pm
Subject: String#crypt first 8
characters
To: [email protected] (ruby-talk ML)
>
irb(main):022:0> “1234567”.crypt(‘aa’)
> => “aaOK9MRbwVNmQ”
>
irb(main):023:0> “12345678”.crypt(‘aa’)
> => “aaNN3X.PL2piw”
>
irb(main):024:0> “123456789”.crypt(‘aa’)
> => “aaNN3X.PL2piw”
>

> If it is a feature not a bug, it should not be an undocumented

> feature
> . ruby-doc.org doesn’t told me about this
behaviour.

String.crypt is a wrapper around Unix standard C
function crypt, used to encrypt passwords. From man crypt,

By
taking the lowest 7 bits of each of the first eight characters of the
key, a 56-bit key
is obtained. This 56-bit key is used to
encrypt repeatedly a constant string (usually a
string
consisting of all zeros). The returned value points to the encrypted
password, a
series of 13 printable ASCII characters
(the first two characters represent the salt
itself). The
return value points to static data whose content is overwritten by
each
call.

There goes your explanation. But that
should be documented, I agree with you. My opinion is that you should
use crypt if you plan to interface somehow with Unix password database.
If you want one way cryptography, try MD5:

require
‘digest/md5’
digest = Digest::MD5.hexdigest(“Hello World\n”)

puts digest

Cheers,

Vince

pjpatten · December 5, 2006, 5:25pm

On Dec 5, 8:08 am, Patrick P.
…

i had a problem with str.crypt - i got every time the same result. The
problem is, that this method only use the first 8 characters of the string:

…

A little googling on ‘C standard library crypt’ led me to :
http://bama.ua.edu/cgi-bin/man-cgi?crypt_unix+5

It turns out the default crypt functionality only uses the first 8
chars, silently ignoring the rest.

Suggest looking into a “real” cryptographic lib. Googling for ‘ruby
crypt’ gave up:
http://crypt.rubyforge.org/

cheers

pjpatten · December 5, 2006, 5:55pm

Le 05 décembre à 14:08, Patrick P. a écrit :

Hello,

i had a problem with str.crypt - i got every time the same result. The
problem is, that this method only use the first 8 characters of the string:

There are workarounds, but I think that’s dependent on the OS.

For instance, the *BSD variants usually allow to use the notation
$n$salt in the salt part of the crypt to choose another algorythm (n=1
-> MD5, n=2 -> Blowfish, n=3 ->NT-Hash, at least on FreeBSD) :

“abcdefghijklmnop”.crypt("$1$8aezq78a")
=> “$1$8aezq78a$reWMwf7b8UtEUWK0LM7pZ/”

“abcdefghijklmnopr”.crypt("$1$8aezq78a")
=> “$1$8aezq78a$frgoGqHZ6bRujQt7qQeSP.”

It seems to give the same results on some Linuxes and FreeBSD, but I
don’t know exactly how portable it is.

Fred

pjpatten · December 7, 2006, 11:50am

Thanks for all the ideas and suggestions. I understand how crypt works
and now I use an other method.

Patrick