Password Digest support with Cams

Password digests are one-way hashes that securely store a password using industry standard hashing algorithms. Cams login modules provide support for password digests when possible. When a user supplies a password for authentication, the Cams login module determines how the password in the user directory was hashed and then uses the same formula to hash the password to be validated. If the resulting digest is the same as the digest stored in the user directory, the user is authenticated.

Cams login modules use Unix Crypt, SHA (with and without salt), and MD5 (with and without salt) digests. Digests (or hashes) are designed to be irreversible, or at least prohibitively expensive to reverse. This is different from an encryption algorithm, which has a corresponding decryption algorithm that can recover the original cleartext. Also, adding random salt bytes to password hashes is recommended to thwart dictionary attacks (where a hacker uses a dictionary of many weak pre-hashed passwords to compare against passwords in a user directory).

Most encryption authorities today recommend use of the SHA algorithm with salt bytes. However, Unix Crypt and MD5 are in wide use and may be required for your site.

Create a Password Digest

Enter a password and select an algorithm to see the the resulting value that a Cams login module will use.

The supplied Cams login modules expect a password digest to be stored in a specific format referred to in this document as a digest string. The digest string format is also in use with popular directory servers such as OpenLDAP and SunOne. If this format does not meet your requirements, you can modify the supplied Cams login modules to work with other schemas and digest formats. For example, some directories store the salt bytes separate from the digest and others may Hex encode values instead of using base64 encoding.

For Cams login modules, a password value may consist of label followed by the base64 encoding of the password digest and the salt bytes (if any). If there is no label, the password is assumed to be cleartext. For example, the following values are all valid for the password camsrocks:

• camsrocks (cleartext)
• {CRYPT}gTkGUcByx84Po
• {SSHA}4KCLUxbuEarx5kRgz3rvHiwX2p8QErePbD0b5dVmaADydegfkoOrCQ==
• {SHA}8cM35Yp6h1KdnPqDbhUubTLpyy0=
• {SMD5}PF031evCfhiSAiPsc5jp5+VDt85DVrMnnrt+oqQrFcCBtVBX
• {MD5}Xfnjmz/dqKDWv/09OUwkRw==

where the label:

• {CRYPT} - is Unix Crypt
• {SSHA} - is SHA with salt
• {SHA} - is SHA without salt
• {SMD5} - is MD5 with salt
• {MD5} - is MD5 without salt

The label is case-insensitive and for SHA and MD5 digests is followed by a base64 encoding of:

1. the digest of:
   1. a password, followed by
   2. a random sequence of salt bytes (if any);
2. followed by the same salt bytes (if any)
   

For Unix Crypt, the digest formula is simple the value produced by the Unix Crypt code. The formula for Cams SHA/MD5 digest strings is graphically depicted in Figure 1.

Figure 1 - The Cams SHA/MD5 digest string formula

Using a digest string as a stored password enables the Cams login module to determine the algorithm (if any) and salt bytes (if any) used to create stored valued. A user supplied password can then be hashed using the same algorithm (if any) and salt bytes (if any). If the result matches the value from the user directory, the user is authenticated.

Password Digest Glossary

• Algorithm - The one-way digest or hash algorithm to use to create the digest
• Digest String - Cams uses this format to store a digest. It is comprised of a string that starts with a label to indicate the algorithm (in curley brackets) followed by a Base64 encoding of the digest concatenated with the salt (if any).
• Digest Size - The length, in bytes, of the digest
• Digest (Base64) - The Base64 encoding of the digest
• Salt (Base64) - The Base64 encoding of the salt
• Digest (Hex) - The Hex encoding of the digest
• Salt (Hex) - The Hex encoding of the salt