Linux – Why is the output of “openssl passwd” different each time

linuxopenssl

The openssl passwd command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option -in file, from stdin for option
-stdin, and from the command line otherwise. The UNIX standard algorithm crypt and the MD5-based BSD password algorithm 1 and its
Apache variant apr1 are available.

I understand the term "hash" to mean "turn an input into an output from which is it difficult/impossible to derive the original input." More specifically, the input:output relationship after hashing is N:M, where M<=N (i.e. hash collision is possible).

Why is the output of "openssl passwd" different run successively with the same input?

> openssl passwd
Password:
Verifying - Password:
ZTGgaZkFnC6Pg
> openssl passwd
Password:
Verifying - Password:
wCfi4i2Bnj3FU
> openssl passwd -1 "a"
$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/
> openssl passwd -1 "a"
$1$JhSBpnWc$oiu2qHyr5p.ir0NrseQes1

I must not understand the purpose of this function, because it looks like running the same hash algorithm on the same input produces multiple unique outputs. I guess I'm confused by this seeming N:M input:output relationship where M>N.

Best Answer

> openssl passwd -1 "a"
$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/

This is the extended Unix-style crypt(3) password hash syntax, specifically the MD5 version of it.

The first $1$ identifies the hash type, the next part OKgLCmVlis the salt used in encrypting the password, then after the separator $ character to the end of line is the actual password hash.

So, if you take the salt part from the first encryption and use it with the subsequent ones, you should always get the same result:

> openssl passwd -1 -salt "OKgLCmVl" "a"
$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/
> openssl passwd -1 -salt "OKgLCmVl" "a"
$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/

When you're changing a password, you should always switch to a new salt. This prevents anyone finding out after the fact whether the new password was actually the same as the old one. (If you want to prevent the re-use of old passwords, you can of course hash the new password candidate twice: once with the old salt and then, if the result is different from the old password and thus acceptable, again with a new salt.)

If you use openssl passwd with no options, you get the original crypt(3)-compatible hash, as described by dave_thompson_085. With it, the salt is two first letters of the hash:

> openssl passwd "a"
imM.Fa8z1RS.k
> openssl passwd -salt "im" "a"
imM.Fa8z1RS.k

You should not use this old hash style in any new implementation, as it restricts the effective password length to 8 characters, and has too little salt to adequately protect against modern methods.

(I once calculated the amount of data required to store a full set of rainbow tables for every classic crypt(3) hash. I don't remember the exact result, but assuming my calculations were correct, it was on the order of "a modest stack of multi-terabyte disks". In my opinion, that places it within the "organized criminals could do it" range.)

Related Solutions

Linux – Trying to understand LUKS encryption

1a - it really doesn't matter all that much. which ever hash you use for the key derivation function, LUKS makes sure it will be computationally expensive. It will simply loop it until 1 second real time has passed.

1b - the key derivation method has no influence on performance. the cipher itself does. cryptsetup benchmark shows you as much.

2 - AES is the fastest if your CPU is modern enough to support AES-NI instructions (hardware acceleration for AES). If you go with serpent now you may not be able to utilize the AES-NI of your next laptop.

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1165084 iterations per second
PBKDF2-sha256     781353 iterations per second
PBKDF2-sha512     588426 iterations per second
PBKDF2-ripemd160  726160 iterations per second
PBKDF2-whirlpool  261882 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   692.9 MiB/s  3091.3 MiB/s
 serpent-cbc   128b    94.6 MiB/s   308.6 MiB/s
 twofish-cbc   128b   195.2 MiB/s   378.7 MiB/s
     aes-cbc   256b   519.5 MiB/s  2374.0 MiB/s
 serpent-cbc   256b    96.5 MiB/s   311.3 MiB/s
 twofish-cbc   256b   197.9 MiB/s   378.0 MiB/s
     aes-xts   256b  2630.6 MiB/s  2714.8 MiB/s
 serpent-xts   256b   310.4 MiB/s   303.8 MiB/s
 twofish-xts   256b   367.4 MiB/s   376.6 MiB/s
     aes-xts   512b  2048.6 MiB/s  2076.1 MiB/s
 serpent-xts   512b   317.0 MiB/s   304.2 MiB/s
 twofish-xts   512b   368.7 MiB/s   377.0 MiB/s

Keep in mind this benchmark does not use storage so you should verify these results with whatever storage and filesystem you are actually going to use.

OpenSSL fetches different SSL certificate than the one obtained via a browser

Why is OpenSSL fetching a different certificate?

s_client by default does not send SNI (Server Name Indication) data but a browser does. The server may choose to respond with a different certificate based on the contents of that SNI - or if no SNI is present then it will serve a default certificate. Try adding -servername api.paczkomaty.pl to your s_client command line

Best Answer

Related Solutions

Linux – Trying to understand LUKS encryption

OpenSSL fetches different SSL certificate than the one obtained via a browser

Related Question