crypt(param_1,local_88) function in C Secure?

Question

Security scan tool reported C's crypt(param_1,local_88) as dangerous function. Searching in google couldn't find any solid information on crypt except someone mentioned it uses DES which is 64 bit (not 3DES) encryption. Any input is appreciated.

Answer 1

The Unix/POSIX C function crypt is a long-obsolete password hashing mechanism. While calling it isn't dangerous in itself (unlike, say, gets()) — at least no more than any other C function (so you need to pay attention to pointer validity and buffer sizes) — relying on it to have any security properties whatsoever is dangerous. So if you're calling crypt(), it's a strong sign that your application is doing something wrong.

The name and documentation date back from the 1970s when computer-era cryptography was very new and using cryptography for anything other than encryption was unfamiliar. It isn't encryption because it's a one-way thing: you can't go back from its output to the input except by brute force (trying all possible inputs and calling crypt() until the output matches).

crypt() is dangerous because brute force is feasible, it's too fast, and its salt is too small. (Read How to securely hash passwords if you want to know the background.) The input “key” (actually a password) is only 8 bytes, out of which 8 bits are ignored. The input space is even smaller if the input is made of printable characters, and even smaller if the input has some structure (e.g. a known mix of punctuation vs letters). It can typically be brute-forced in hours.

crypt() has been obsolete since the mid-1990s. If you need to hash a password, you are long overdue for switching to a modern method. If you're using crypt() for some other purpose, it's probably wrong too — I can't think of anything useful crypt() can do in the 21st century — and you should ask a professional what to do instead. (Don't ask on Stack Overflow which is not good at cryptography. Security SE or Cryptograhy SE can give good advice.)