[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword encryption



Hello people,

> > Someone can help me to define the default encryption method for 
> > userPassword in one Openldap server?
> [...] choices of:

The choices come from RFC 2307, according to the manpage for slappasswd.

The choices differ in the strenght of encryption, while they are not really
a heavy burden on your machine.  So you may want to pick the strongest
crypto.

> crypt

Not the strongest one-way function, but much better than plain text.
Crypt is also commonly used to protect Un*x' /etc/passwd files.

> ssha
> sha

The sha algorithm seems to be what is commonly known as sha1.  That is a
bit confusing, because there used to be a predecessor to sha1 known as sha.
This algorithm has been thoroughly sliced&diced by cryptographers, and is
now commonly considered a very reliable secure hash, or one-way function.
Your bank would trust it to protect your secrets.

That same bank wouldn't like to store 4-digit PIN codes after passing it
through such a secure hash, though.  Even with 20 bytes of hash output,
there's still only 10,000 different input values, so it'd be easy figuring
out a PIN code from the hash.  So, one can prefix the hashed information
(such as the PIN code) with a so-called salt, which is just jibberish, to
scatter its outcome somewhat better and thus have more variation in output
values.  That seems to be what SSHA adds w.r.t. SHA.  (Not entirely sure.)

> smd5
> md5

The "s" is again a salt, AFAIK.

The md5 algorithm is older than SHA-1, and it has proven valuable, but
there is some mumbling that a so-called "birthday attack" could happen. Not
really something to be concerned with in a database... but then again,
there's no good reason to prefer this over sha1, so why not pick that
instead...  sha1 is free of these types of attack anyway.


What I did to check these functions was this  [on FreeBSD]:

  bash$ echo -n 'OpenFortress' | openssl sha1 -binary | mimencode
produced the same code as
  bash$ slappasswd -h '{SHA}' -s OpenFortress 
everytime it was run, whereas a different output occurred on every run of
  bash$ slappasswd -h '{SSHA}' -s OpenFortress 
the variation in the latter's outcome clearly is the salt at work.


Cheerio,

Rick van Rein,
OpenFortress.