Sunday, January 27, 2013

UNIX password scheme

In most of the computer security contexts, user authentication is the fundamental building block and primary line of defense. User authentication is the basis for most type of access control and for user accountability.

Hashed passwords are widely used in UNIX like operating system. UNIX uses hashed password and salt value are used in UNIX like operating system. This password scheme is completely different form windows like operating system. Windows uses only encryption of passwords rather than like UNIX that’s why windows have not much of powerful authentication scheme. UNIX password scheme is explained below and fig 1 shows UNIX password scheme.

To load new password in system user have to select new password. This password is combined with the salt value. Salt values are of fixed length and can be anything like time, date etc. But latest implementation uses random number as a salt value. 

The password and salt value are given input to the hashed algorithm to produce fixed length of hashed value. The hashed value is then stored with the plain text copy of salt value in the password file for corresponding user ID. 
fig1.UNIX password scheme

When user attempts to log on to UNIX system, the user provides an ID and password. The operating system uses ID as index in password file and retrieves plain text salt value and encrypted password. The new provided password and salt value are given as input to encryption algorithm. Algorithm generates encrypted password which is compared with the encrypted value returned with salt value if the both matches then only log-in is allowed otherwise denied.

The other benefit of this mechanism is even if two users chooses same password it does not conflict because salt value for each user ID is different.

3 comments:

  1. Can you please explain with an example?

    ReplyDelete
    Replies
    1. Let we have given password like "qwerty" this password is added or given to encryption algorithm along with randomly generated salt value such as "764336"
      it may generates encrypted value like "jhsd4535fiw7r4u83348"(guessed value).
      now the generated password and salt values are stored in password file.
      now if we try to login with wrong password such as "asdgf" will given to encryption algorithm generates encrypted value like "hbcb34324sdfsf" which is not same as encrypted value as like in password file hence login denied.

      Delete
    2. i Will try to implement it using c program. will may be published in next sunday

      Delete