E*TRADE's encryption algorithm is XOR

[Tim Hollebeek <thollebeek () CIGITAL COM>]

Jeffrey Baker's advisory on security vulnerabilities with E*TRADE's web
interface describes the cookie encryption algorithm in terms of a lookup
table, and Marc Slemko has posted an implementation with a series of
compares, additions, and subtractions.

In fact, it is much worse: The encryption scheme is just XOR with a fixed
byte.

"Encryption" proceeds as follows:

1. Take the ASCII byte and XOR it with 0xA8.                   (e.g. for 'f'
[0x66] -> [0xCE])

2. Split it into the high and low nibbles.                     (e.g. [0xCE]
-> [0xC, 0xE])

3. Add 0x40 to produce an uppercase letter or '@'              (e.g. [0xC,
0xE] -> "LN")

Repeat for the rest of the characters in the username and password.  That's
it.

Tim Hollebeek
Cigital, Inc.
(formerly Reliable Software Technologies)