Back | Next | Contents Cams Administrator's Guide

Password Digests

Cams login modules implement support for password digests, which are one-way hashes that securely store a password using industry standard hashing algorithms. When a user supplies a password for authentication, the Cams login module determines how the password in the user directory was hashed and then uses the same formula to hash the password to be validated. If the resulting digest is the same as the digest stored in the user directory, the user is authenticated.

Cams login modules provide supports for Unix Crypt, SHA (with and without salt), and MD5 (with and without salt) digests. Digests (or hashes) are designed to be irreversible, or at least prohibitively expensive to reverse. This is different from an encryption algorithm, which has a corresponding decryption algorithm that can recover the original cleartext. Also, adding random salt bytes to password hashes is recommended to thwart dictionary attacks (where a hacker uses a dictionary of many weak pre-hashed passwords to compare against passwords in a user directory).

Most encryption authorities today recommend use of the SHA algorithm with salt bytes. However, Unix Crypt and MD5 are in wide use and may be required for your site.

Cams Digest Strings

The supplied Cams login modules expect a password digest to be stored in a specific format referred to in this document as a digest string. The digest string format is also in use with popular directory servers such as OpenLDAP and SunOne. If this format does not meet your requirements, you can modify the supplied Cams login modules to work with other schemas and digest formats. For example, some directories store the salt bytes separate from the digest and others may Hex encode values instead of using base64 encoding.

For Cams login modules, a password value may consist of label followed by the base64 encoding of the password digest and the salt bytes (if any). If there is no label, the password is assumed to be cleartext. For example, the following values are all valid for the password camsrocks:

  • camsrocks (cleartext)
  • {CRYPT}gTkGUcByx84Po
  • {SSHA}4KCLUxbuEarx5kRgz3rvHiwX2p8QErePbD0b5dVmaADydegfkoOrCQ==
  • {SHA}8cM35Yp6h1KdnPqDbhUubTLpyy0=
  • {SMD5}PF031evCfhiSAiPsc5jp5+VDt85DVrMnnrt+oqQrFcCBtVBX
  • {MD5}Xfnjmz/dqKDWv/09OUwkRw==

where the label:

  • {CRYPT} - is Unix Crypt
  • {SSHA} - is SHA with salt
  • {SHA} - is SHA without salt
  • {SMD5} - is MD5 with salt
  • {MD5} - is MD5 without salt

The label is case-insensitive and for SHA and MD5 digests is followed by a base64 encoding of:

  1. the digest of:
    1. a password, followed by
    2. a random sequence of salt bytes (if any);
  2. followed by the same salt bytes (if any)

For Unix Crypt, the digest formula is simple the value produced by the Unix Crypt code. The formula for Cams SHA/MD5 digest strings is graphically depicted in Figure 1.

Figure 1 - The Cams SHA/MD5 digest string formula

Using a digest string as a stored password enables the Cams login module to determine the algorithm (if any) and salt bytes (if any) used to create stored valued. A user supplied password can then be hashed using the same algorithm (if any) and salt bytes (if any). If the result matches the value from the user directory, the user is authenticated.

NOTE: A web application is available on the Cafésoft web site that generates valid digest strings.

Back | Next | Contents