GnuPG manual doubt

L. Sassaman rabbi@quickie.net
Thu, 27 Jan 2000 15:30:26 -0500 (EST)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A "salt" is a set of bits added to the encryption process. I am not
sure how it applies directly with GPG, but it is most commonly known for its
use in Morris's crypt() function in Unix.

crypt() takes two arguments: the password, and a salt. The salt does not
make the password any less difficult to brute force, but it does limit the
possibility that two encrypted passwords can be identified as being the same.

In other words, if I use the password "password" on thetis.quickie.net and
on prometheus.quickie.net, someone looking at the password files wouldn't
be able to tell they are the same. (shadow password files make this
application of salting unnecessary, but that is where it is most commonly
recognised as being used, and why).

When I run:

perl -e 'print crypt( "password", "AA" ) . "\n";'
                                   ^^ this is the salt

It produces this:

AA6tQYSfGxd/A
^^ Here is the salt in the output.

perl -e 'print crypt( "password", "AB" ) . "\n";'
                                   ^^ different salt

Different output of crypt()

ABRCL9ijBr2LY
^^

You can see that by "salting" the password, you can produce a totally
different encrypted string. No one would know that "AA6tQYSfGxd/A" and
"ABRCL9ijBr2LY" are both "password".

(Much like adding salts or seasons to a soup can change the taste
drastically.)


[Yes, I know that in crypt(), the passwords are not actually
encrypted; instead, a long string of zeros is encrypted with the
password. I am simplifying for the sake of clarity...]

If anyone wants to tell us exactly where salting is used in GPG, (what
algorithms, etc., please do. I am interested. :)

And re: mangle.. I would assume that is used as a synonym for
"obfuscate" or "obscure". Is "mangle" an actual cryptographic term?


- --Len.


On Thu, 27 Jan 2000, Mike Ashley wrote:


> The wording being quoted by Horacio comes directly from the gpg manual page.
> If someone could post a clarification, in terms of the algorithms being
> used, of what it means to "add salt" and "mangle", then Horacio and I could
> fix both the English and Spanish versions once and for all.
>
> Mike
>
> ----- Original Message -----
> From: J Horacio MG <homega@ciberia.es>
> To: GPG List <gnupg-users@gnupg.org>
> Sent: Thursday, January 27, 2000 5:13 AM
> Subject: GnuPG manual doubt
>
>
> > while doing the Spanish translation of the manual, I've found something
> > I'm stack with. For the options s2k-digest-algo and s2k-mode the
> > synopsis says:
> >
> > set the message digest algorithm for mangling passphrases
> >
> > and
> >
> > sets how passphrases are mangled
> >
> > It would help me if anyone could give me a brief explanation of it, as I
> > can't think of the meaning for "mangling" here.
> >
> >
> > Also, could anyone tell me what does "adding salt to a passphrase" mean?
> > (the translation of "salt" is ok, just like the element).
>
>
__ L. Sassaman System Administrator | "I've done my sentence Technology Consultant | But committed no crime..." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Freddie Mercury, Queen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE4kKroPYrxsgmsCmoRAufxAJ9EAfTb39boYWdie09FjKvqsmDNPwCg1lqt VeY5+jXhUjit7uoChXHyLRc= =FGRn -----END PGP SIGNATURE-----