In message <20020524023015.GA23438@rek.tjls.com>, Thor Lancelot Simon writes:
>On Thu, May 23, 2002 at 08:28:28PM -0400, Sean Davis wrote:
>> On Fri, May 24, 2002 at 08:23:12AM +0900, itojun@iijlab.net wrote:
>> > 	hmm.  i see.  we should implement $2$ as openbsd does (there's no need
>> > 	to be different), and the above algorithm can become $3$.
>> 
>> Sounds good to me. I could have $3$ done and (hopefully :) cleanly implement
>ed
>> in not too long, the only thing right now that I'm unsure about is how to ha
>ndle
>> the salt argument to crypt. Obviously make it use the SHA512 hash if it star
>ts
>> with with $3$, but then what? just hash it in the same manner that digest us
>es
>> to hash multiple lines? (SHA512_Update(passwordtext) then SHA512_Update(salt
>),
>> or vice versa?)
>
>Uh, Steve already told you how: you use the salt as the key for HMAC_SHA512.
>
One other point I should mention:  the code fragment I sketched had an 
optional site-specific field.  Today's algorithm encrypts a constant 
block, which makes hashed passwords portable.  That isn't necessarily 
an advantage, since it lets an attacker combine password files from 
multiple sites for a single cracking run.  The variant allows site 
administrators to change that.

Where to store this string is an open issue.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)