HP-UX Password Hashing Infrastructure B.11.23.01 Release Notes, Ed. E002

HP-UX PHI enhances the security of HP-UX 11i version 2. HP-UX PHI provides a new

SHA512-based algorithm for user password hashes as an alternative to the traditional, DES-based

password hash algorithm.

Traditionally, authentication of users in HP-UX was done using the crypt function. For decades,

the crypt function has implemented a DES-based one-way function. Today, the output produced

by the crypt function is no longer considered non-reversible. Therefore a new one-way function

is needed to maintain the security of user’s passwords.

HP-UX PHI provides a set of new functions which are referred to as the crypt2 family of

functions. The crypt2 functions are a backward-compatible alternative to the legacy crypt

function. The crypt function itself is not modified. HP-UX PHI is only available on systems

• Co-existence between DES-based and SHA512-based passwords

HP-UX PHI allows successful authentication with and management of passwords which

are hashed using different algorithms. In the /etc/shadow file, some users' passwords can

be hashed with the DES-based algorithm, while other users' passwords may be hashed with

the new SHA512-based algorithm.

• Migration from one password hash algorithm to another

HP-UX PHI allows a convenient method of gradual and seamless migration of password

hashes from one algorithm to another.

• Cross-vendor compatibility

Hashes from the new algorithm are prefixed with $6$. This allows password hashes to be

http://docs.hp.com

February 2008 Part Number 5992-4117

Added a new chapter, Using HP-UX PHI with Other Applications (see

Chapter 2), including requirements for ONC ENHKEY.

January 2008 Part Number 5992-4060

First Edition