Question

I'm working with Subversion based on Windows and would like to write an easy utility in .NET for working with the Apache password file. I understand that it uses a function referred to as MD5Crypt, but I can't seem to find a description of the algorithm beyond that at some point it uses MD5 to create a hash.

Can someone describe the MD5Crypt algorithm and password line format?

Was it helpful?

Solution

A precise textual description of the crypt algorithm updated for use with sha256 and sha512 is at http://www.akkadia.org/drepper/SHA-crypt.txt

It includes contrasts with the MD5 algorithm, so it should give you what you're looking for.

OTHER TIPS

You can find an implementation of md5crypt in the tcllib package. Download is available from sourceforge.

You can also find an example of an apache-compatible md5crypt in the source code for the CAS Generic Handler

MD5Crypt is basically a replacement for the old-fashioned unix crypt function. It was introduced in freebsd, and has been adopted by other groups as well.

The basic idea is this:

  • a hash is a good way to store a password
    • you take the user's entered password and hash it
    • compare it to the stored hash
    • if the hash is the same, the passwords match

But there's a problem:

  • Suppose you pick the password "jeff" and I also pick the password "jeff".
  • Now both of our password hashes are the same.
  • So if I see the stored hash codes, I will know your password is the same as mine, "jeff".

So, we can add a "salt" string to the password.

  • This can be any random thing.
  • Suppose for your account it is "zuzu" and for my account it is "rjrj".
  • Now we hash the string "jeffzuzu" for your password, and "jeffrjrj" for my password.
  • Now we have different hash values for our password.
  • We can safely store the salt value with the hashed password, since even knowing the salt value won't help to decode the hash.

You mention .net, there's a pointer over in another forum to this:

System.Security.Cryptography.MD5CryptoServiceProvider md5 = new
System.Security.Cryptography.MD5CryptoServiceProvider();

string hash =BitConverter.ToString((md5.ComputeHash(
System.Text.ASCIIEncoding.Default.GetBytes(stringtohash) ) ));

HTH!

The process is rather involved... the salt and the password are hashed together not once, but 1000 times. Also, the base64 encoding uses a different alphabet, and the padding is removed from the end.

The best thing would probably be to find a library to use, like glibc under cygwin.

Since you code against Apache anyway, have a look at Apache's implementation of crypt-md5.

The original algorithm (I think) in C can be found here. It differs from the above implementation only by the different magic number.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top