17

I understand more sha-rounds make it difficult to bruteforce the hashed password in /etc/shadow. Higher rounds also use more CPU processing when executing sudo commands and logging into the Unix account. But what are sha-rounds really? The chpasswd manual doesn't really give a technical definition of sha-rounds.

-s, --sha-rounds ROUNDS
           Use the specified number of rounds to encrypt the passwords.

           The value 0 means that the system will choose the default number of rounds for the crypt method (5000).

           A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.

           You can only use this option with the SHA256 or SHA512 crypt method.

           By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.

The SHA-2 wiki doesn't really say either:

SHA-256 and SHA-512 ... use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds.

In both the chpasswd manual and SHA-2 wiki, there isn't enough context to determine what "sha-rounds" are or how they relate to SHA512.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
user201199
  • 179
  • 1
  • 1
  • 3

2 Answers2

21

What the manual is referring to as rounds is probably better called iterations. While it is true that the SHA-2 function internally has a fixed number of rounds (64 or 80, depending on which hash is used), that is not what this manual is talking about. In order to make hashed passwords more secure, programs will often put the password through a KDF function such as PBKDF2, which runs a single hash function many times over to slow down brute force attacks. This is what "rounds" refers to in this context. The higher the round number, the longer it takes for a password to be processed and the more secure it is.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 2
    Unix systems typically don't use PBKDF2, but a construction based on the same principle (iterated salted hash) with slightly different plumbing. – Gilles 'SO- stop being evil' Mar 06 '19 at 07:18
  • @Gilles I think modern systems with PAM use PBKDF2. I'll fix my answer though. Thanks. – forest Mar 06 '19 at 07:21
  • 5
    Changing the password algorithm breaks backward compatibility. AFAIK glibc's `crypt(3)` doesn't do PBKDF2. While [PBKDF2 has a slight benefit over SHAcrypt](https://security.stackexchange.com/a/133309), the benefit isn't enough to justify the engineering and UX cost of upgrading. I think Unix systems will eventually move directly towards Argon2. – Gilles 'SO- stop being evil' Mar 06 '19 at 07:38
  • If you create password with an unusual number of iterations, how system finds out that it will need this exact number of iterations later to verify entered password? – Croll Mar 06 '19 at 10:02
  • 1
    @Croll The iteration count can be stored along with the salt and hash. – kasperd Mar 06 '19 at 10:18
  • "Rounds" should be referring to a very specific portion of a cryptographic primitive. SHA variants use what is known as a Feistel network to perform hashing. For instance, SHA-1 (https://en.wikipedia.org/wiki/SHA-1) *by default* uses 80 rounds through its Feistel network. What this option should be doing is alter the algorithm and let the user configure the number of rounds within the algorithm itself and has a minimum of 1000 rounds. This answer doesn't make sense given the context. – CubicleSoft Mar 06 '19 at 14:21
  • 3
    @CubicleSoft The answer is correct, it's just an unfortunate use of the same word with a slightly different meaning. As the answer says, _iterations_ would be a better description. Most modern password hashes instead use a _cost_ which is logarithmic to the iteration count. – AndrolGenhald Mar 06 '19 at 14:46
  • @kasperd i asked about how things really are if you use this option. You say "can be" so i assume you don't know the situation? – Croll Mar 07 '19 at 12:03
  • @Croll Yes, it does store the iteration count. It is handled by PAM via `login.defs` and adds a `rounds=10000` (or whatever count you choose) to each line in the shadow file. – forest Mar 07 '19 at 12:10
  • @Croll I said *can be* because some password hash formats include an iteration count, some formats don't, and in some formats it is optional. – kasperd Mar 07 '19 at 23:42
  • @kasperd you are telling common truth, yeah, and i ask how system deals with different iterations count for different passwords since the same number of iterations is needed to verify password stored as hash. Without that info, the answer is incomplete. – Croll Mar 08 '19 at 13:29
13

Secure systems don't store passwords directly, or even in encrypted form, but as salted, slow hashes. See How to securely hash passwords? for more details.

The goal of using a hashing mechanism rather than encryption is to make it impossible to go back from the password hash (what's stored in /etc/shadow) to the password itself, except with the “trivial” method of guessing a password, calculating the corresponding hash and comparing it with the database entry. The goal of making the hash calculation slow is to slow down such brute force attempts.

One common way of constructing a slow hash is to take an ordinary cryptographic hash function such as SHA-256 or SHA-512 and to run it many times: basically SHA-256(SHA-256(…(SHA-256(salt + password)))). (That's not the actual calculation, I'm just showing the relevant aspect here.) Because it's impossible to find x given SHA-256(x) short of guessing x itself and verifying the guess by calculating SHA-256(guess), it's impossible to find password given its iterating hash short of making a guess and verifying it. This is what most Unix systems use today, using a method sometimes called SHAcrypt (but it doesn't really have a commonly-used name). PBKDF2 is a better-known name; it's a very similar scheme, built upon the same principle of iterating a hash function multiple times but with a slightly different construction.

What the documentation of chpasswd calls “number of SHA rounds” is the number of times that the salted-iterated-SHA2 construction calls the hash function. This is more commonly called “number of iterations”.

Some cryptographic primitives including SHA-256 and SHA-512 are described as using multiple rounds internally, but this has nothing to do with the use of the word “rounds” in the documentation of chpasswd. SHAcrypt uses the standard hash function (SHA-256 or SHA-512) as a black box, and calls it multiple times.

forest
  • 65,613
  • 20
  • 208
  • 262
Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180