Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: RE: Password secured using?
From: Peter Kosinar <goober () ksp sk>
Date: Thu, 27 Apr 2006 04:05:44 +0200 (CEST)

Hello,

When I repeated it often enough. I got this pattern.
a=707
aa=7073e
aaa=7073e45
aaaa=7073e455b

A very short analysis suggests that the encryption is a salted bijection (= no hash) and it looks incredibly simple and easy-to-break. So far, this is only a conjecture based on very small amount of data but I doubt there will be some special quirks employed by the encryption algorithm. Unfortunately, the small amount of input data also means that there are a few questions left unanswered.

The general idea of the encryption is as follows:

It starts by choosing a random number ('salt') S, probably from the interval 0-15 (the only observed values so far have been from the interval 0-10). The salt (represented as a hexadecimal digit) is the first character of the encrypted password. Then, the function processes the password byte-by-byte and encrypts each of them by XOR-ing them with a fixed key, starting at position S. Each byte is then represented as two-digit hexadecimal number. Nothing more, nothing less...

Mathematically, C[i] = P[i] ^ K[S+i], where C is the ciphertest, P[i] is the plaintext and K is the _fixed_ key, which does not depend on the input.

It's not clear whether the key is cyclic and if it is, what is its period. So far, only first 12 characters of the key could have been recovered (it is acually possible that the key is only 11 bytes long because K[0] = K[11]). In order to find that out, it might be a good idea to try to encrypt a password consisting of 17 a's.

The following short C program demonstrates how simple the decryption is -- just try to feed it with the encrypted password and observe the result [it's based on the unverified assumption that the fixed key is 11 bytes long]

------
#include <stdio.h>

int key[11] =
{ 0x21, 0x76, 0xe4, 0x39, 0x22, 0x32, 0xa7, 0x66, 0x5f, 0x24, 0x3a };

int main() {
  int k, c;
  for (scanf("%1x", &k); scanf("%02x", &c) == 1; k++)
    putchar(c^key[k%11]);
  putchar('\n');
  return 0;
}
------

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]