2

I'm learning about encryption and decryption on linux and php. So I have three questions about openssl and how it generates password hashes.

1- So say I generated a password with the linux command

openssl passwd

My first observation is that every time I generate a hash, it's different! Why is that? Is it because of salt? That's my first question.

2- Now my second question is about testing this password. Say I want to test the correctness of this password and get a binary answer, whether it's correct or not. How do I do that with openssl? If my question doesn't make sense, then how is openssl passwd useful?

3- If I encrypt my password with a hash using openssl passwd, and every time there's a random salt added to it, how does openssl decrypt it (or any other program for that matter)?

Thank you.

Improve this question
1
  • If you -1 the post, please explain why. I could always improve the question. Commented Dec 13, 2014 at 16:44

3 Answers 3

Reset to default
1

openssl crypt you password with an algorithm and a salt. If you do not provided a salt an random is choosen.

the salt is given in the resulting hash.

for instance

 openssl passwd -1 foo
 $1$pyuddMjp$3.deTnHdrVVVLoh5zkQ0B.

where

  • 1 is proticol (md5 here)
  • pyuddMjp is salt

If I want to verif you know passwd (i.e. foo), I need to compare resulting hash, using passwd option with salt.

  • with x=bar

    openssl passwd -1 -salt pyuddMjp $x $1$pyuddMjp$kNkQHWoF8WVh7Oxvae5YX1

  • with x=foo

    openssl passwd -1 -salt pyuddMjp $x $1$pyuddMjp$3.deTnHdrVVVLoh5zkQ0B.

Improve this answer
2
  • Thank you for the response. This is helpful. But I still am wondering about how this works without the "-1" in the command. Why do I still get a different result each time? Commented Dec 13, 2014 at 17:57
  • 1
    without -1 option, crypt() is used, the salt are the first two caracter. Commented Dec 13, 2014 at 18:22
1

First of all openssl command is usually not used to encrypt passwords. You can read about openssl at http://en.wikipedia.org/wiki/OpenSSL

On Unix systems passwords are encrypted with a one way hash, so there is no way to decrypt them to get back the original.

In one way encryption the salt is usually a pre determined string or generated from the plain text version, for example the first few characters, and you will use that to regenerate the hash and compare the two.

You mentioned php, you can check php crypt function for more information.

Improve this answer
0

Building on the accepted answer. I wanted to verify that the password hash matched with the password which was initially set - or thought to be set.

First I don't want passwords to show up in the command line history, so for

# cat > pass.txt
mypasswd1
<ctrl>+d

# cat > badpass.txt
faulty
<ctrl>+d

Then I create an MD5 hash:

# RET=$(openssl passwd -1 -in pass.txt)
# echo $RET
$1$nhyuaE7S$ld2wuucUlRUQE8iAnJhjF/

The "salt" is the third field, as separated by $ (including the leading/empty field). Saving the "salt"

# SALT=$(echo $RET | cut -d\$ -f 3)
# echo $SALT
nhyuaE7S

So to see if the password actually matched the MD5 hash I compare the hash I have saved in the $RET variable with the first line of the "test".

# echo "$RET" ; openssl passwd -1 -salt "$SALT" $(cat pass.txt) "$RET"
$1$nhyuaE7S$ld2wuucUlRUQE8iAnJhjF/
$1$nhyuaE7S$ld2wuucUlRUQE8iAnJhjF/
$1$nhyuaE7S$3pGvIF7UwuvhJjXzR4Yb.0

They seem to match, let's have diff to check for us:

# diff <(echo "$RET") <(openssl passwd -1 -salt "$SALT" $(cat pass.txt) "$RET" | head -1)
# echo $?
0

So far so good, but lets also check with the "bad" password to see that we don't have a match.

# echo "$RET" ; openssl passwd -1 -salt "$SALT" $(cat badpass.txt) "$RET"
$1$nhyuaE7S$ld2wuucUlRUQE8iAnJhjF/
$1$nhyuaE7S$t6MTdY2QafzUtBMMVzf5B.
$1$nhyuaE7S$3pGvIF7UwuvhJjXzR4Yb.0

# diff <(echo "$RET") <(openssl passwd -1 -salt "$SALT" $(cat badpass.txt) "$RET" | head -1) >/dev/null
# echo $?
1

So now we have a test which actually can "prove" that the stored MD5 hash, i.e. in a config file, match the password we think is the correct one.

Please inform in the comments if any of my assumptions are mistaken or incorrect.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.