3

I'm working with Subversion based on Windows and would like to write an easy utility in .NET for working with the Apache password file. I understand that it uses a function referred to as MD5Crypt, but I can't seem to find a description of the algorithm beyond that at some point it uses MD5 to create a hash.

Can someone describe the MD5Crypt algorithm and password line format?

James A. Rosen
  • 64,193
  • 61
  • 179
  • 261
Lee
  • 18,529
  • 6
  • 58
  • 60

4 Answers4

4

A precise textual description of the crypt algorithm updated for use with sha256 and sha512 is at http://www.akkadia.org/drepper/SHA-crypt.txt

It includes contrasts with the MD5 algorithm, so it should give you what you're looking for.

nealmcb
  • 12,479
  • 7
  • 66
  • 91
  • Thanks! This is exactly what I was looking for so long ago. I honestly wish that there was more information like this on Stack Overflow. Descriptions and discussions of algorithms without regard to individual programming languages. I wish I had more than just an upvote and an accept to give. – Lee Feb 16 '11 at 01:13
3

You can find an implementation of md5crypt in the tcllib package. Download is available from sourceforge.

You can also find an example of an apache-compatible md5crypt in the source code for the CAS Generic Handler

Espo
  • 41,399
  • 21
  • 132
  • 159
2

The process is rather involved... the salt and the password are hashed together not once, but 1000 times. Also, the base64 encoding uses a different alphabet, and the padding is removed from the end.

The best thing would probably be to find a library to use, like glibc under cygwin.

Since you code against Apache anyway, have a look at Apache's implementation of crypt-md5.

The original algorithm (I think) in C can be found here. It differs from the above implementation only by the different magic number.

2

MD5Crypt is basically a replacement for the old-fashioned unix crypt function. It was introduced in freebsd, and has been adopted by other groups as well.

The basic idea is this:

  • a hash is a good way to store a password
    • you take the user's entered password and hash it
    • compare it to the stored hash
    • if the hash is the same, the passwords match

But there's a problem:

  • Suppose you pick the password "jeff" and I also pick the password "jeff".
  • Now both of our password hashes are the same.
  • So if I see the stored hash codes, I will know your password is the same as mine, "jeff".

So, we can add a "salt" string to the password.

  • This can be any random thing.
  • Suppose for your account it is "zuzu" and for my account it is "rjrj".
  • Now we hash the string "jeffzuzu" for your password, and "jeffrjrj" for my password.
  • Now we have different hash values for our password.
  • We can safely store the salt value with the hashed password, since even knowing the salt value won't help to decode the hash.

You mention .net, there's a pointer over in another forum to this:

System.Security.Cryptography.MD5CryptoServiceProvider md5 = new
System.Security.Cryptography.MD5CryptoServiceProvider();

string hash =BitConverter.ToString((md5.ComputeHash(
System.Text.ASCIIEncoding.Default.GetBytes(stringtohash) ) ));

HTH!

Mark Harrison
  • 297,451
  • 125
  • 333
  • 465