(Basically I re-implemented a subset of the Alto file system using the raw disk.)Įrasing the password flag in this block makes the disk bootable without the password.Īfter implementing this, I realized there's a short cut. So once we've found the first block, we can follow the pointer to find the second block. In the Alto file system, each disk block has pointers to the previous and next block. The file system stores a directory as the name of each file along with the disk address of the file's first block.īy reading the directory as raw data and interpreting it, we can find the location of sys.boot. The tricky part is finding where this word is on disk. The password protection can be disabled by clearing the flag word inside sys.boot, which is the 128th word in the second block of sys.boot. The next four words are the salt, and the final four words are the password hash itself. If the password flag is set, the boot program requires a password before proceeding. The first word is a flag indicating if the disk is password protected. The Alto boots from disk by running the file sys.boot this file decides if a password is required for boot, based on the 9-word password vector stored inside the file. There's a way to disable the password on disk, gaining access to the file system. x is a one-word value generated from the password string and y is a two-word value from the password string, both generated byĬoncatenating characters from the password. Where a is the time salt and b is the user name salt. The Alto's password hash algorithm is pretty simple: 4 The password hash is 4 words (64 bits) long. The Alto uses four words of salt with the password (two words based on the password creation time and two words based on the user name). The source code for the Alto's password algorithm reveals how the password hashing is implemented. Like Unix, the Alto used salted and hashed passwords. (Of course you need to store the salt along with the hash in order to check passwords.) 2 Since different users will have different salt, the hashes will be different even if the passwords are the same. One problem with hashed passwords is if two users have the same hash, then you know they have the same password.Ī solution (invented in Unix) is to hash some random bytes (called salt) along with the password to yield the stored hash. And if anyone sees the hash, there's no easy way to get the password back. When the user inputs a password, you hash it through the same function and compare the hashes. Instead of storing the password, you hash the password through a cryptographic one-way function and store the hash. Most systems use a solution invented by Roger Needham in 1967. Storing passwords in plain text is a very bad idea, since anyone who can access the file can see the password. Password protection is described in the Alto User's Handbook page 5.
0 Comments
Leave a Reply. |