crypt PLAINTEXT,SALT
Creates a digest string exactly like the crypt(3) function in the Clibrary (assuming that you actually have a version there that has notbeen extirpated as a potential munition).
crypt() is a one-way hash function. The PLAINTEXT and SALT are turnedinto a short string, called a digest, which is returned. The samePLAINTEXT and SALT will always return the same string, but there is no(known) way to get the original PLAINTEXT from the hash. Smallchanges in the PLAINTEXT or SALT will result in large changes in thedigest.
There is no decrypt function. This function isn't all that useful forcryptography (for that, look for Crypt modules on your nearby CPANmirror) and the name "crypt" is a bit of a misnomer. Instead it isprimarily used to check if two pieces of text are the same withouthaving to transmit or store the text itself. An example is checkingif a correct password is given. The digest of the password is stored,not the password itself. The user types in a password that iscrypt()'d with the same salt as the stored digest. If the two digestsmatch, the password is correct.
When verifying an existing digest string you should use the digest asthe salt (like crypt($plain, $digest) eq $digest). The SALT usedto create the digest is visible as part of the digest. This ensurescrypt() will hash the new string with the same salt as the digest.This allows your code to work with the standard crypt andwith more exotic implementations. In other words, assumenothing about the returned string itself nor about how many bytes of SALT may matter.
Traditionally the result is a string of 13 bytes: two first bytes ofthe salt, followed by 11 bytes from the set [./0-9A-Za-z], and onlythe first eight bytes of PLAINTEXT mattered. But alternativehashing schemes (like MD5), higher level security schemes (like C2),and implementations on non-Unix platforms may produce differentstrings.
When choosing a new salt create a random two character string whosecharacters come from the set [./0-9A-Za-z] (like join '', ('.','/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]). This set ofcharacters is just a recommendation; the characters allowed inthe salt depend solely on your system's crypt library, and Perl can'trestrict what salts crypt() accepts.
Here's an example that makes sure that whoever runs this program knowstheir password:
- $pwd = (getpwuid($<))[1];
- system "stty -echo";
- print "Password: ";
- chomp($word = <STDIN>);
- print "\n";
- system "stty echo";
- if (crypt($word, $pwd) ne $pwd) {
- die "Sorry...\n";
- } else {
- print "ok\n";
- }
Of course, typing in your own password to whoever asks youfor it is unwise.
The crypt function is unsuitable for hashing large quantitiesof data, not least of all because you can't get the informationback. Look at the Digest module for more robust algorithms.
If using crypt() on a Unicode string (which potentially hascharacters with codepoints above 255), Perl tries to make senseof the situation by trying to downgrade (a copy of)the string back to an eight-bit byte string before calling crypt()(on that copy). If that works, good. If not, crypt() dies withWide character in crypt.
Portability issues: crypt in perlport.
