What are SHA-rounds?
I understand more sha-rounds make it difficult to bruteforce the hashed password in /etc/shadow. Higher rounds also use more CPU processing when executing sudo commands and logging into the Unix account. But what are sha-rounds really? The chpasswd manual doesn't really give a technical definition of sha-rounds.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
The SHA-2 wiki doesn't really say either:
SHA-256 and SHA-512 ... use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds.
In both the chpasswd manual and SHA-2 wiki, there isn't enough context to determine what "sha-rounds" are or how they relate to SHA512.
passwords hash sha
edited yesterday
Gilles
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I understand more sha-rounds make it difficult to bruteforce the hashed password in /etc/shadow. Higher rounds also use more CPU processing when executing sudo commands and logging into the Unix account. But what are sha-rounds really? The chpasswd manual doesn't really give a technical definition of sha-rounds.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
The SHA-2 wiki doesn't really say either:
SHA-256 and SHA-512 ... use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds.
In both the chpasswd manual and SHA-2 wiki, there isn't enough context to determine what "sha-rounds" are or how they relate to SHA512.
passwords hash sha
edited yesterday
Gilles
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I understand more sha-rounds make it difficult to bruteforce the hashed password in /etc/shadow. Higher rounds also use more CPU processing when executing sudo commands and logging into the Unix account. But what are sha-rounds really? The chpasswd manual doesn't really give a technical definition of sha-rounds.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
The SHA-2 wiki doesn't really say either:
SHA-256 and SHA-512 ... use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds.
In both the chpasswd manual and SHA-2 wiki, there isn't enough context to determine what "sha-rounds" are or how they relate to SHA512.
passwords hash sha
edited yesterday
Gilles
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I understand more sha-rounds make it difficult to bruteforce the hashed password in /etc/shadow. Higher rounds also use more CPU processing when executing sudo commands and logging into the Unix account. But what are sha-rounds really? The chpasswd manual doesn't really give a technical definition of sha-rounds.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
The SHA-2 wiki doesn't really say either:
SHA-256 and SHA-512 ... use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds.
In both the chpasswd manual and SHA-2 wiki, there isn't enough context to determine what "sha-rounds" are or how they relate to SHA512.
passwords hash sha
passwords hash sha
edited yesterday
Gilles
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Gilles
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Gilles
39.4k1294149
edited yesterday
Gilles
39.4k1294149
edited yesterday
Gilles
39.4k1294149
39.4k1294149
asked yesterday
user201199user201199
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
user201199user201199
743
asked yesterday
user201199user201199
743
743
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user201199 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.
answered yesterday
forestforest
37.5k17120134
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc'scrypt(3)doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.
– Gilles
yesterday
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
|
show 5 more comments
Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.
The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.
One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.
What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.
Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.
edited yesterday
forest
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
add a comment |
A round is an iteration through the hash routine. To do two rounds, you take the results of running the data through the hash once, and put that hash result into the hash function.
As far as the detail you want, that's currently on the Wikipedia SHA-2 page. SHA1 does 80 rounds, SHA2-224 and SHA2-256 do 64 rounds, and SHA2-384 and SHA2-512 do 80 rounds again. SHA3, regardless of whether it's 224, 256, 384, or 512 bit mode, will do 24 rounds, but it's a completely different algorithm, so the number of rounds aren't directly comparable.
If you want to make your hash routine slower in a way that requires anyone attacking to do the same, you can trivially do that by feeding the output from an existing cryptographically secure hashing routine back into that routine. Doing that for SHA2-512 would increase the rounds from 80 to 160. Of course, you could also discount the internal rounds and just consider one pass through the overall SHA-512 routine to be one round.
answered yesterday
Ed GrimmEd Grimm
1947
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune withchpasswd. That's about calling the hash function multiple times.
– Gilles
yesterday
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
user201199 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204813%2fwhat-are-sha-rounds%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.
answered yesterday
forestforest
37.5k17120134
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc'scrypt(3)doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.
– Gilles
yesterday
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
|
show 5 more comments
What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.
answered yesterday
forestforest
37.5k17120134
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc'scrypt(3)doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.
– Gilles
yesterday
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
|
show 5 more comments
What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.
answered yesterday
forestforest
37.5k17120134
What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.
answered yesterday
forestforest
37.5k17120134
edited yesterday
answered yesterday
forestforest
37.5k17120134
answered yesterday
forestforest
37.5k17120134
answered yesterday
forestforest
37.5k17120134
37.5k17120134
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc'scrypt(3)doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.
– Gilles
yesterday
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
|
show 5 more comments
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc'scrypt(3)doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.
– Gilles
yesterday
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
2
2
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing.
– Gilles
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
@Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks.
– forest
yesterday
4
4
Changing the password algorithm breaks backward compatibility. AFAIK glibc's
crypt(3) doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.– Gilles
yesterday
Changing the password algorithm breaks backward compatibility. AFAIK glibc's
crypt(3) doesn't do PBKDF2. While PBKDF2 has a slight benefit over SHAcrypt, the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2.– Gilles
yesterday
1
1
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
@Croll The iteration count can be stored along with the salt and hash.
– kasperd
yesterday
3
3
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
@CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, iterations would be a better description. Most modern password hashes instead use a cost which is logarithmic to the iteration count.
– AndrolGenhald
yesterday
|
show 5 more comments
Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.
The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.
One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.
What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.
Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.
edited yesterday
forest
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
add a comment |
Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.
The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.
One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.
What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.
Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.
edited yesterday
forest
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
add a comment |
Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.
The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.
One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.
What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.
Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.
edited yesterday
forest
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.
The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.
One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.
What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.
Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.
edited yesterday
forest
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
edited yesterday
forest
37.5k17120134
edited yesterday
forest
37.5k17120134
edited yesterday
forest
37.5k17120134
37.5k17120134
answered yesterday
GillesGilles
39.4k1294149
answered yesterday
GillesGilles
39.4k1294149
answered yesterday
GillesGilles
39.4k1294149
39.4k1294149
add a comment |
add a comment |
A round is an iteration through the hash routine. To do two rounds, you take the results of running the data through the hash once, and put that hash result into the hash function.
As far as the detail you want, that's currently on the Wikipedia SHA-2 page. SHA1 does 80 rounds, SHA2-224 and SHA2-256 do 64 rounds, and SHA2-384 and SHA2-512 do 80 rounds again. SHA3, regardless of whether it's 224, 256, 384, or 512 bit mode, will do 24 rounds, but it's a completely different algorithm, so the number of rounds aren't directly comparable.
If you want to make your hash routine slower in a way that requires anyone attacking to do the same, you can trivially do that by feeding the output from an existing cryptographically secure hashing routine back into that routine. Doing that for SHA2-512 would increase the rounds from 80 to 160. Of course, you could also discount the internal rounds and just consider one pass through the overall SHA-512 routine to be one round.
answered yesterday
Ed GrimmEd Grimm
1947
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune withchpasswd. That's about calling the hash function multiple times.
– Gilles
yesterday
add a comment |
A round is an iteration through the hash routine. To do two rounds, you take the results of running the data through the hash once, and put that hash result into the hash function.
As far as the detail you want, that's currently on the Wikipedia SHA-2 page. SHA1 does 80 rounds, SHA2-224 and SHA2-256 do 64 rounds, and SHA2-384 and SHA2-512 do 80 rounds again. SHA3, regardless of whether it's 224, 256, 384, or 512 bit mode, will do 24 rounds, but it's a completely different algorithm, so the number of rounds aren't directly comparable.
If you want to make your hash routine slower in a way that requires anyone attacking to do the same, you can trivially do that by feeding the output from an existing cryptographically secure hashing routine back into that routine. Doing that for SHA2-512 would increase the rounds from 80 to 160. Of course, you could also discount the internal rounds and just consider one pass through the overall SHA-512 routine to be one round.
answered yesterday
Ed GrimmEd Grimm
1947
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune withchpasswd. That's about calling the hash function multiple times.
– Gilles
yesterday
add a comment |
A round is an iteration through the hash routine. To do two rounds, you take the results of running the data through the hash once, and put that hash result into the hash function.
As far as the detail you want, that's currently on the Wikipedia SHA-2 page. SHA1 does 80 rounds, SHA2-224 and SHA2-256 do 64 rounds, and SHA2-384 and SHA2-512 do 80 rounds again. SHA3, regardless of whether it's 224, 256, 384, or 512 bit mode, will do 24 rounds, but it's a completely different algorithm, so the number of rounds aren't directly comparable.
If you want to make your hash routine slower in a way that requires anyone attacking to do the same, you can trivially do that by feeding the output from an existing cryptographically secure hashing routine back into that routine. Doing that for SHA2-512 would increase the rounds from 80 to 160. Of course, you could also discount the internal rounds and just consider one pass through the overall SHA-512 routine to be one round.
answered yesterday
Ed GrimmEd Grimm
1947
A round is an iteration through the hash routine. To do two rounds, you take the results of running the data through the hash once, and put that hash result into the hash function.
As far as the detail you want, that's currently on the Wikipedia SHA-2 page. SHA1 does 80 rounds, SHA2-224 and SHA2-256 do 64 rounds, and SHA2-384 and SHA2-512 do 80 rounds again. SHA3, regardless of whether it's 224, 256, 384, or 512 bit mode, will do 24 rounds, but it's a completely different algorithm, so the number of rounds aren't directly comparable.
If you want to make your hash routine slower in a way that requires anyone attacking to do the same, you can trivially do that by feeding the output from an existing cryptographically secure hashing routine back into that routine. Doing that for SHA2-512 would increase the rounds from 80 to 160. Of course, you could also discount the internal rounds and just consider one pass through the overall SHA-512 routine to be one round.
answered yesterday
Ed GrimmEd Grimm
1947
answered yesterday
Ed GrimmEd Grimm
1947
answered yesterday
Ed GrimmEd Grimm
1947
answered yesterday
Ed GrimmEd Grimm
1947
1947
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune withchpasswd. That's about calling the hash function multiple times.
– Gilles
yesterday
add a comment |
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune withchpasswd. That's about calling the hash function multiple times.
– Gilles
yesterday
5
5
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
I think OP is asking about PBKDF2 rounds, not hash function rounds.
– forest
yesterday
6
6
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune with
chpasswd. That's about calling the hash function multiple times.– Gilles
yesterday
The fact that algorithms such as SHA-2 and SHA-3 can be described in terms of round internally has nothing to do with what you can tune with
chpasswd. That's about calling the hash function multiple times.– Gilles
yesterday
add a comment |
user201199 is a new contributor. Be nice, and check out our Code of Conduct.
user201199 is a new contributor. Be nice, and check out our Code of Conduct.
user201199 is a new contributor. Be nice, and check out our Code of Conduct.
user201199 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204813%2fwhat-are-sha-rounds%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
